Cisco’s Embedded Event Manager is probably the most under-utilized ability of the Cisco IOS. It has been available for sometime time and is built into almost all modern IOS based products. Notice that I stated IOS based, this excludes ASA, PIX, and some of the more esoteric Cisco products. But it is available on switches and routers (including the XR line). Here’s how it works:
In the normal operations of the switch or router, events happen all the time. These events can be someone issuing a CLI command, a syslog message, an SNMP trap, etc. As these things happen, they can be detected by the EEM Event Detectors, which are running all the time in the background. The Event Detectors send their information to the EEM server. Here’s a picture from the Cisco website
The EEM server can then be programmed to fire off an EEM policy. The policy is what you can program. Currently there are two different types of polices: applets and Tool Command Language (Tcl) scripts. These applets and Tcl scripts can be programmed to do all sorts of fun things. They can send syslog messages, SNMP traps, fire off e-mails, even open raw sockets. That’s right, you read it right, you can open raw sockets! If you’re not familiar with Tcl, get familar. It’s a lot like Perl and Python just a new syntax but it has them same power. Let that soak it, you have a script interpreter built into your router!
Think about the power you have now. You can program your router to detect the user typing a specific CLI command, stop them, and fire off an e-mail in response. You can capture the MAC address table every five minutes, detect any changes, and syslog it off. To get a better feeling about what people are doing out there, check out the Cisco Beyond page.
I plan on writing a lot about this in the future so expect Tcl scripts, applets, discussions about how to all sorts of things. Let me know if there’s something you’d like to see.