Embedded Event Manager (EEM) – Basic Overview- Part I

Today we are going to discuss about different event detectors and actions. Before that let me just give a brief overview of what EEM actually is.

EEM is a Cisco tool which embeds automation and programming capability inside the device itself. It is triggered by an event detector and once triggered performs a set of specified actions.

There are a variety of detectors and actions we can use in EEM.

There are two types of EEM policies: an applet or a script. An applet is a simple form of policy that is defined within the CLI configuration. A script is a form of policy that is written in Tool Command Language (Tcl). Tcl scripts are written in an ASCII editor then uploaded to device

In this blog, we are going discuss about Applets. Below are some of the features of applet:

  • Supports Event, action and set
  • In version 4.0, only _exit_status is supported by set
  • Multiple events are supported using correlate keyword.
  • Policy without event won’t be triggered but can be triggered without action, just it won’t do anything
  • Actions are listed with labels and run in ascending alphanumeric order.
  • Sorting will sort label 10.0 after 1.0 before 2.0.
  • Subconfig mode of applet will be applicable only once you exit out. In show run, it will show the config in ascending order only, doesn’t matter in which order you configured. 10.x will come before 2.x.
  • To manually run the EEM , run command “event manager run <applet-name>

Lets first look at the basic EEM configuration:

event manager applet Clock >>>>>>> Defining an EEM policy
event none >>>>>>>>>>>>>>>Defining an event which will trigger this EEM policy
action 1.0 cli command “en” >>>>What action to be taken when the EEM is triggered.
action 2.0 cli command “sh users | append flash:Clock”
action 3.0 cli command “sh clock | append flash:Clock”

So we have three components in an EEM:

– Event Policy
– Event detector
– Event Action

EEM always use separate VTY lines to run the actions and capture the outputs. In case AAA is configured on device, we need to provide a username having authorisation to run all the commands on VTY line. There are two ways to do so:

Configure EEM session to use the specific username : event manager session cli username <USERNAME>
Configure EEM applet to bypass the authorization :  event manager applet BGP authorization bypass

Below are the event detectors which we can use to trigger an EEM and perform set of actions. We will discuss all of them with examples.

Screen Shot 2018-03-30 at 1.12.47 PM

Now lets take a look at the options we have for actions which can be performed once an event is detected using above detectors:

Screen Shot 2018-03-30 at 1.24.51 PM

Each of the event detector has built-in environmental variables which can be used to pass to events or actions by that detector. This can be viewed using below command:

show event manager detector DETECTOR detailed

Below is the snip for “interface” detector. It basically is an in-built Help for the specific detector showing the command syntax with all options and the variables used by that detector.
Screen Shot 2018-03-30 at 3.55.36 PM
Screen Shot 2018-03-30 at 3.56.46 PM

Let me show you an example on how to use an environmental variable for interface detector. Below EEM is to monitor the input errors on interface Gi0/3/0 every 30seconds and will be triggered if the value is 0. Once its triggered, the action we have set up is to print the value of interface parameter we are monitoring which is inout error here:

event manager applet test
event interface name GigabitEthernet0/3/0 parameter input_errors entry-op eq entry-val 0 entry-type value poll-interval 30 maxrun 60
action 10 puts “$_interface_value”

#sh log | i test
*Mar 29 02:13:44.829: %HA_EM-6-LOG: test: 0
*Mar 29 02:14:14.829: %HA_EM-6-LOG: test: 0

#sh int gi0/3/0 | i input errors
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

Before going into demonstration of event detectors and actions, let me talk about some basic keywords.

Multiple events

Multiple event detectors are supported using correlate keyword. It allows boolean logic to relate events and tracked objects

– Below is an EEM to capture the logs from router EIGRP or Interface goes down

event manager applet EIGRP-FLAP authorization bypass
event tag EIGRP syslog pattern “%DUAL-5-NBRCHANGE.*.down.*”  maxrun 60
event tag TUNNEL syslog pattern “%LINEPROTO-5-UPDOWN.*.down”
correlate event EIGRP or event TUNNE

– There are three options to correlate the events : and, andnot and or.

Screen Shot 2018-03-30 at 5.05.44 PM

– We can also correlate tracking objects:

correlate track 1 and track 2 or track 3


The maximum time for which the EEM will run before the process is interrupted or killed. This is to just prevent to keep running the EEM for long.

By defaults, its 20 seconds but can be tweaked using maxrun keyword.

event <> maxrun <>


This will limit the event to be triggered once per given time period.

event <> rate limit <>


It specifies the how many time the event should have occurred before raising event.

event <> occurs <>


This is the number of event occurrence within a period of particular time

Occurs 3 period 60 –> if event occurs thrice in a period of 60 sec


In the next blog, we will discuss about all the event detectors.

EEM Series:

  1. Embedded Event Manager (EEM) – Basic Overview- Part I
  2. Embedded Event Manager (EEM) – Event Detectors- Part II
  3. Embedded Event Manager (EEM) – Event Detectors- Part III
  4. Embedded Event Manager (EEM) – Event Actions- Part IV



Categories: Automation, EEM, General

1 reply »

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s