event syslog pattern [pattern]
Defines an Embedded Event Manager (EEM) applet trigger that watches for syslog messages matching a specified pattern, enabling automated responses to network events.
event syslog pattern [pattern]When to Use This Command
- Automatically save the running configuration when a link goes down (interface down syslog).
- Send an SNMP trap or email when a specific security event (e.g., failed login) is logged.
- Execute a custom script or command when OSPF neighbor state changes are detected in syslog.
- Trigger a backup of the startup configuration whenever a critical error message appears.
Command Examples
Trigger on interface down syslog
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down"This command sets the EEM applet to trigger when a syslog message matching the exact pattern for an interface going down is generated. The pattern includes the syslog ID and the interface details.
Trigger on failed login attempt
event syslog pattern "%SEC_LOGIN-4-LOGIN_FAILED: Login failed"This pattern matches syslog messages indicating a failed login attempt. The EEM applet can then take actions like sending an alert or incrementing a counter.
Understanding the Output
The 'event syslog pattern' command itself does not produce output; it is a configuration command within an EEM applet. The output you see is when you verify the applet with 'show event manager policy registered' or 'show event manager applet'. In those outputs, look for the applet name and its trigger event. The pattern is displayed under the trigger details. A correctly configured trigger will show the pattern string exactly as entered. If the pattern is too broad, it may trigger on unintended events; if too specific, it may miss events. Ensure the pattern matches the exact syslog message format, including the syslog ID and any variables like interface names or IP addresses.
CCNA Exam Tips
CCNA exam tip 1: Remember that the pattern is case-sensitive and must match the exact syslog message format, including the percent sign and syslog ID.
CCNA exam tip 2: You can use regular expressions in the pattern for more flexible matching, but be careful with special characters.
CCNA exam tip 3: The 'event syslog pattern' command is configured inside an EEM applet, not globally. The applet must also have 'action' commands to define what happens when the trigger fires.
CCNA exam tip 4: Common exam scenario: Configure an EEM applet that sends a syslog message when a specific event occurs, using 'action syslog msg'.
Common Mistakes
Mistake 1: Forgetting to include the syslog ID (e.g., %LINEPROTO-5-UPDOWN) in the pattern, causing the trigger to never match.
Mistake 2: Using a pattern that is too generic (e.g., just 'down') which triggers on many unrelated events.
Mistake 3: Not escaping special regex characters like parentheses or periods, leading to pattern matching failures.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions