CCNA Embedded Event Manager Questions

75 of 76 questions · Page 1/2 · Embedded Event Manager topic · Answers revealed

1
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the operation of an Embedded Event Manager (EEM) applet that triggers on a syslog pattern? (Choose TWO.)

Select 2 answers
A.show event manager history events
B.show event manager policy active
C.show event manager detector syslog
D.show event manager environment
E.debug event manager action all
AnswersA, B

This command shows the history of EEM events, including syslog-triggered events, allowing verification that the applet fired.

Why this answer

The 'show event manager history events' command displays recent EEM events, including those triggered by syslog patterns, while 'show event manager policy active' lists currently registered and active EEM applets. The other options either show unrelated EEM data or require additional configuration to be useful.

2
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager policy active No. Class Type Version Time Created Name 1 applet system 1.0 Mar 1 00:00:12 2025 TRACK-INTERFACE Event Type: syslog (pattern OSPF-5-ADJCHG) Action: cli command 'show ip route' What does this output indicate?

A.The EEM applet 'TRACK-INTERFACE' is active and will execute 'show ip route' when a syslog message matching 'OSPF-5-ADJCHG' is generated.
B.The EEM applet 'TRACK-INTERFACE' is currently executing and has run 'show ip route'.
C.The EEM applet 'TRACK-INTERFACE' has been triggered and the output of 'show ip route' is displayed.
D.The EEM applet 'TRACK-INTERFACE' is inactive and needs to be enabled.
AnswerA

Correct. The output shows the applet is active, triggered by syslog pattern OSPF-5-ADJCHG, and will execute the CLI command 'show ip route'.

Why this answer

The output shows active EEM policies that are currently enabled and waiting for their trigger events. It displays the applet name, class, type, version, creation time, the event that triggers it, and the actions it will execute. This helps verify that an applet is active and what it does.

3
MCQhard

What is the default behavior of EEM when multiple policies are registered for the same event?

A.All policies run simultaneously in parallel.
B.Only the first registered policy runs.
C.Policies run in order of priority (lower number = higher priority), then alphabetically by name.
D.Policies run in reverse order of registration.
AnswerC

Priority is the primary sort; ties are broken by policy name.

Why this answer

EEM policies are executed in order of their priority; if priorities are equal, the policy with the lowest name (alphanumeric) runs first.

4
MCQhard

Which statement correctly describes the default authentication behavior for EEM policy files stored in flash?

A.EEM requires all policy files to be signed with a digital certificate.
B.EEM uses MD5 hash verification by default.
C.EEM does not perform any authentication or integrity check on policy files by default.
D.EEM uses the device's AAA configuration to authenticate policy execution.
AnswerC

By default, EEM trusts the file system and executes policies without authentication.

Why this answer

EEM does not enforce any authentication by default; policy files are executed as-is without integrity checks.

5
MCQhard

A network engineer configures EEM to monitor interface state changes on R1. R1 has: event manager applet INT-MONITOR event syslog pattern "%LINEPROTO-5-UPDOWN" action 1.0 cli command "enable" action 2.0 cli command "show ip route" action 3.0 syslog msg "Interface state change detected". After a link flap on interface GigabitEthernet0/1, the engineer notices that the EEM applet runs multiple times, but the show ip route output is incomplete. Router R2 shows: routing table updates are delayed. What is the root cause?

A.The EEM applet executes before the routing protocol has converged, showing incomplete routing information.
B.The syslog pattern matches too many events, causing the applet to run excessively.
C.The 'show ip route' command requires privileged mode, but the applet is already in privileged mode.
D.The interface flap is causing routing protocol instability, not the EEM applet.
AnswerA

The applet runs immediately, but routing updates take time; adding a delay ensures accurate output.

Why this answer

The EEM applet runs immediately upon the syslog message, but the routing protocol may not have converged yet. The show ip route command may show stale or incomplete routes because the routing table update occurs asynchronously. The correct fix is to add a delay using 'action wait' before executing the show command.

6
MCQhard

A network engineer configures EEM to monitor OSPF neighbor state changes. R1 has: event manager applet OSPF-MON event syslog pattern "%OSPF-5-ADJCHG" action 1.0 cli command "enable" action 2.0 cli command "show ip ospf neighbor" action 3.0 syslog msg "OSPF neighbor change detected". After a link flap, the engineer notices that the EEM applet does not execute. Router R2 shows: OSPF neighbor state changes are logged, but no EEM actions occur. What is the root cause?

A.The EEM applet is not registered correctly; it needs to be enabled with 'event manager applet OSPF-MON trigger'
B.The syslog pattern matches, but the OSPF ADJCHG message is severity 5, which is below the default EEM syslog severity threshold of 4.
C.The 'action 1.0 cli command "enable"' fails because the applet is already in privileged mode.
D.The OSPF neighbor change is not generating a syslog message due to logging buffer size.
AnswerB

EEM syslog triggers require severity 0-4 by default; OSPF ADJCHG is severity 5.

Why this answer

The EEM applet uses the syslog pattern trigger, but the OSPF ADJCHG message is logged at severity 5 (notification). By default, EEM syslog triggers only match severity 0-4 (emergency through warning). The engineer must adjust the logging severity or use a different trigger (e.g., event syslog pattern with severity).

7
MCQhard

A network engineer configures an EEM applet to monitor OSPF network type mismatches using the event syslog pattern 'OSPF-5-ADJCHG'. The applet is supposed to send a notification when an adjacency fails. Two routers are connected with an OSPF network type mismatch (one is broadcast, the other is point-to-point). The adjacency fails, but the EEM applet does not trigger. Which is the most likely explanation?

A.A network type mismatch prevents the routers from reaching the 2WAY state, so no OSPF-5-ADJCHG syslog is generated.
B.The EEM applet must use 'event ospf' to capture OSPF network type mismatches.
C.The network type mismatch generates a syslog with pattern 'OSPF-4-ERRRCV', but the EEM applet is looking for 'OSPF-5-ADJCHG'.
D.The OSPF process must be restarted for the EEM applet to detect the mismatch.
AnswerA

Correct. The adjacency fails early, and the syslog for state change is not generated because FULL was never reached.

Why this answer

When OSPF network types mismatch, the adjacency may fail during the database exchange process, but the syslog message generated is often 'OSPF-4-ERRRCV' or 'OSPF-5-ADJCHG' depending on the specific failure. However, if the mismatch is between broadcast and point-to-point, the routers may not even form a neighbor relationship because they interpret Hello packets differently. In some IOS versions, the syslog message is not generated at all because the routers never reach the 2WAY state.

The EEM applet relies on the 'OSPF-5-ADJCHG' pattern, which is only generated when there is a state change from FULL to DOWN or vice versa. If the adjacency never progresses beyond INIT, no ADJCHG message is produced.

8
Drag & Dropmedium

Drag and drop the steps to create and register an EEM applet for syslog events into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with entering global configuration mode, then defining the EEM applet and its syslog trigger, followed by configuring the action to execute, and finally exiting configuration mode to register the applet.

9
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 BGP_Neighbor_Down R1# show bgp summary BGP router identifier 10.0.0.1, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65002 5 5 1 0 0 00:02:00 Established Based on this output, which statement is correct?

A.The BGP neighbor is down.
B.The EEM policy has been triggered.
C.The BGP neighbor is up and the EEM policy has not been triggered.
D.The EEM policy is disabled.
AnswerC

The Established state confirms the neighbor is up, so the down event has not occurred.

Why this answer

The EEM policy BGP_Neighbor_Down is registered, but the BGP neighbor is in Established state. The correct answer is that the BGP neighbor is up and the EEM policy has not been triggered.

10
Drag & Dropmedium

Drag and drop the steps to verify and validate EEM operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by displaying registered EEM policies, then check the status of each policy (active/inactive), review event history and timestamps, examine the policy actions and variables, and finally confirm the policy triggers correctly with a test event.

11
MCQhard

A network engineer is troubleshooting a router that fails to apply a specific configuration change after a reload. The engineer has an EEM applet that runs at boot time to apply a set of commands. After a reload, the engineer checks the configuration and finds that the commands were not applied. The applet is configured with event syslog pattern 'SYS-5-RESTART' and action cli command 'configure terminal'. What is the most likely cause of the failure?

A.The EEM applet is not enabled globally.
B.The syslog pattern 'SYS-5-RESTART' is misspelled.
C.The EEM applet runs before the router is fully booted, so the CLI commands fail.
D.The EEM applet requires a 'event manager directory user' command to be configured.
AnswerC

Correct because the syslog message may be generated early in the boot process, and the router may not be ready to accept configuration commands at that point.

Why this answer

The EEM applet uses the wrong event trigger. The 'SYS-5-RESTART' syslog message may not be generated or may be generated too early before the router is fully ready for configuration commands. The engineer should use 'event none' with a manual trigger or use 'event timer' to delay execution.

12
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager history events Event History: No. Time Type Name 1 00:01:30 UTC Mar 1 syslog OSPF_Neighbor_Down 2 00:01:31 UTC Mar 1 syslog OSPF_Neighbor_Up 3 00:01:32 UTC Mar 1 syslog OSPF_Neighbor_Down 4 00:01:33 UTC Mar 1 syslog OSPF_Neighbor_Up Based on this output, which statement is correct?

A.The OSPF neighbor is stable.
B.The OSPF neighbor is flapping.
C.The EEM policy is not configured.
D.The OSPF neighbor is down permanently.
AnswerB

The rapid succession of down and up events is characteristic of flapping.

Why this answer

The event history shows alternating OSPF neighbor down and up events within seconds, indicating a flapping condition. The correct answer is that the OSPF neighbor is flapping.

13
MCQmedium

Examine the following EEM applet configuration: !--- event manager applet RELOAD_NOTIFY event syslog pattern "%SYS-5-RELOAD" action 1.0 cli command "enable" action 2.0 cli command "send log "Router is reloading"" !--- What is the effect of this configuration?

A.The applet will send a log message to the console when a reload is initiated.
B.The applet will fail because 'send log' is not a valid IOS command.
C.The applet will prevent the reload from occurring.
D.The applet will generate a syslog message with the text "Router is reloading".
AnswerB

Correct. 'send log' is not a valid command; the correct command would be 'logger' or 'send' with appropriate parameters.

Why this answer

The applet triggers on a syslog message indicating a reload. It then executes a 'send log' command, which is not a valid IOS command. The correct command is 'send log' is not valid; the intended command might be 'send' or 'logger'.

This will cause the action to fail, and the applet will not execute successfully.

14
MCQhard

An engineer configures an EEM applet to monitor CoPP (Control Plane Policing) drops using the event syslog pattern 'COPP-3-DROP'. The applet is intended to log when CoPP drops packets. The CoPP policy is applied with a rate-limit in bps, but the traffic exceeds the rate, and packets are dropped. The EEM applet does not trigger. Which is the most likely explanation?

A.CoPP does not generate syslog messages for individual drops unless the 'log' keyword is configured in the policy.
B.The EEM applet must use 'event class-map' to capture CoPP events.
C.The rate-limit in bps is incorrect; it should be in pps to generate syslog.
D.The CoPP policy must be applied to the input direction only for drops to be logged.
AnswerA

Correct. CoPP drops are not logged by default; the 'log' keyword must be added to the police action.

Why this answer

CoPP generates syslog messages only when the drop rate exceeds a certain threshold or when the policy is applied, not for every individual drop. By default, CoPP does not generate syslog messages for every dropped packet because it would overwhelm the router. The 'COPP-3-DROP' syslog is generated only if the 'police' action includes the 'log' keyword or if the drop rate is significant enough to trigger a log.

Without explicit logging configuration in the CoPP policy, no syslog is generated, and the EEM applet will not trigger.

15
MCQhard

A network engineer configures EEM to monitor BGP prefix limits on R1. R1 has: event manager applet BGP-PREFIX event syslog pattern "%BGP-3-PREFIX_LIMIT" action 1.0 cli command "enable" action 2.0 cli command "clear ip bgp 10.1.1.2" action 3.0 syslog msg "Cleared BGP session". Router R2 shows: BGP session with R1 is flapping, and logs show repeated prefix limit warnings. What is the root cause?

A.The EEM applet clears the BGP session, which resets the prefix count but does not prevent the neighbor from re-sending the same prefixes.
B.The syslog pattern is incorrect; it should be %BGP-4-PREFIX_LIMIT.
C.The clear command should be 'clear ip bgp *' to reset all sessions.
D.The BGP session is flapping due to a keepalive timer mismatch.
AnswerA

Clearing the session only provides temporary relief; the prefix limit is hit again after re-establishment.

Why this answer

The EEM applet clears the BGP session when a prefix limit is reached, but this does not solve the underlying issue. The prefix limit is exceeded because the neighbor is sending too many prefixes; clearing the session only temporarily resets the count, leading to a cycle. The correct fix is to increase the prefix limit or filter prefixes.

16
MCQmedium

A network engineer notices that a router is sending SNMP traps for interface state changes even when there is no actual interface flapping. The engineer checks the running configuration and finds an EEM applet that monitors interface state changes and sends a syslog message. The applet is configured with a trigger condition that matches any interface state change. What should the engineer do to resolve the issue?

A.Remove the EEM applet entirely.
B.Modify the EEM applet trigger to match only the specific interfaces of interest.
C.Increase the debounce timer on the interface to reduce flapping.
D.Disable SNMP traps for interface state changes.
AnswerB

Correct because narrowing the trigger condition prevents false positives while retaining monitoring capability.

Why this answer

The EEM applet is too broadly triggered, causing unnecessary syslog messages that may be interpreted as traps. The engineer should narrow the trigger condition to match only specific interfaces or use a more specific event filter.

17
MCQhard

A network engineer configures an EEM applet to monitor uRPF (Unicast Reverse Path Forwarding) failures using the event syslog pattern 'IP-3-URPF'. The applet is designed to log when uRPF drops packets due to strict mode. The network has asymmetric routing, and packets are dropped. The EEM applet does not trigger. Which is the most likely explanation?

A.uRPF strict mode drops packets silently without generating a syslog message unless the 'log' keyword is used.
B.The EEM applet must use 'event routing' to capture uRPF events.
C.Asymmetric routing causes uRPF to generate a different syslog pattern, such as 'IP-4-URPF'.
D.The uRPF must be configured in loose mode to generate syslog messages.
AnswerA

Correct. uRPF drops are not logged by default; the 'log' keyword must be added to the verification command.

Why this answer

uRPF strict mode drops packets when the source IP address is not reachable via the incoming interface. However, the syslog message 'IP-3-URPF' is generated only when the 'ip verify unicast source reachable-via' command is configured with the 'allow-default' option or when the drop is logged explicitly. In strict mode without 'allow-default', the router may drop packets silently without generating a syslog message, especially if the drop is due to asymmetric routing.

The EEM applet will not trigger because no syslog is generated for the drop.

18
MCQmedium

A network engineer is troubleshooting an intermittent BGP session failure between two routers. The BGP session drops every few hours and recovers after a few seconds. The engineer checks the logs and sees that an EEM applet is triggered just before each failure. The applet is configured to run a script that clears the BGP session when a specific syslog message is generated. What is the most likely cause of the BGP session failure?

A.The BGP session is failing due to a physical layer issue.
B.The EEM applet is clearing the BGP session as part of its configured action.
C.The BGP session is failing due to a routing loop.
D.The EEM applet is causing a memory leak that crashes the BGP process.
AnswerB

Correct because the applet's action to clear the BGP session directly causes the session failure when triggered.

Why this answer

The EEM applet is the root cause because it is configured to clear the BGP session upon a specific syslog event. The engineer should review the applet's trigger condition and action to identify why it is being triggered incorrectly or unnecessarily.

19
MCQhard

An engineer configures an EEM applet to monitor OSPF neighbor state changes using the event syslog pattern 'OSPF-5-ADJCHG'. The applet triggers a custom syslog message. The OSPF adjacency between two routers fails due to an MTU mismatch, but the EEM applet does not trigger. Which is the most likely explanation?

A.The OSPF-5-ADJCHG syslog message is not generated for MTU mismatch failures because the neighbor never reaches FULL state.
B.The EEM applet has a typo in the event syslog pattern; it should match 'OSPF-5-ADJCHG' with a wildcard.
C.The EEM applet requires the 'event manager run' command to be enabled globally.
D.The MTU mismatch causes a routing loop that suppresses syslog generation.
AnswerA

Correct. MTU mismatch causes the adjacency to fail in EXSTART, and the syslog message is OSPF-4-ERRRCV instead of OSPF-5-ADJCHG.

Why this answer

When an OSPF adjacency fails due to MTU mismatch, the neighbor state transitions from EXSTART to DOWN without generating the standard OSPF-5-ADJCHG syslog message. The adjacency never reaches FULL, so the state change from EXSTART to DOWN is logged as a different syslog pattern (OSPF-4-ERRRCV or OSPF-5-ADJCHG may not fire). EEM applets that rely on the exact pattern 'OSPF-5-ADJCHG' will not trigger because that message is only generated when the neighbor state changes from FULL to DOWN or vice versa.

20
Multi-Selectmedium

Which TWO statements about Embedded Event Manager (EEM) applet configuration are true? (Choose TWO.)

Select 2 answers
A.An EEM applet can be configured with multiple event statements using the 'event' command with the 'or' operator.
B.The 'action' command within an EEM applet can execute a Cisco IOS CLI command using the 'cli' keyword.
C.An EEM applet must include a Tcl script to perform any actions.
D.An EEM applet can only have a single action command.
E.The 'event none' configuration is not allowed in an EEM applet.
AnswersA, B

EEM supports multiple event triggers combined with the 'or' operator, allowing the applet to fire on any of the specified events.

Why this answer

EEM applets can use multiple event statements combined with a Boolean operator, and the 'action' command supports Cisco IOS CLI commands via the 'cli' keyword. The other statements are false: applets do not require a Tcl script, multiple actions are allowed, and the 'event none' option is valid for manual triggering.

21
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 EIGRP_Neighbor_Down 2 applet 00:01:23 UTC Mar 1 2025 OSPF_Neighbor_Flap Based on this output, which statement is correct?

A.Two EEM applet policies are registered and active.
B.Two EEM applet policies are registered but disabled.
C.Only one EEM applet policy is registered.
D.The EEM applet policies are triggered by syslog events.
AnswerA

The output shows two applet policies registered, meaning they are loaded and ready to trigger based on their defined events.

Why this answer

The 'show event manager policy registered' command lists all EEM policies registered on the device. The output shows two applet policies registered, but no trigger events are shown. The correct answer is that two EEM applet policies are registered, but the output does not indicate whether they are enabled or disabled; registration means they are loaded and ready to trigger.

22
Multi-Selecthard

Which TWO statements about EEM applet configuration and execution are correct? (Choose TWO.)

Select 2 answers
A.An EEM applet can be triggered by multiple event types if the 'event' statements are configured under the same applet using the 'multiple' keyword.
B.The 'action info type routername' command stores the router hostname in the '$_info_type_routername' environment variable.
C.The 'event cli' pattern matching is case-insensitive by default.
D.The 'event timer countdown' command uses the 'time' keyword to specify the duration in seconds.
E.The 'action string' command can be used to trim leading and trailing whitespace from a variable using the 'trim' subcommand.
AnswersA, B

Correct. The 'event multiple' keyword allows an applet to wait for any of several specified events.

Why this answer

EEM applets can be configured with multiple events using the 'multiple' keyword. The 'action info type routername' command retrieves the router hostname. The 'event cli' pattern is case-sensitive by default.

The 'event timer countdown' does not support the 'time' keyword; it uses 'countdown-time'. The 'action string' does not support 'trim' as a subcommand.

23
MCQmedium

What is the default behavior of EEM when a policy encounters a runtime error?

A.EEM automatically retries the policy up to three times.
B.EEM logs the error and continues with the next policy.
C.EEM reloads the device to clear the error.
D.EEM ignores the error and proceeds with the next action in the same policy.
AnswerB

The error is logged, and if multiple policies are queued, execution continues with the next.

Why this answer

By default, EEM logs the error via syslog and stops executing the policy; it does not retry.

24
Drag & Drophard

Drag and drop the steps to troubleshoot EEM adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying the EEM policy is registered and enabled, then check for any connectivity issues using ping or traceroute, review syslog or debug output for event triggers, examine the policy logic for errors, and finally test the policy manually to confirm resolution.

25
Multi-Selecthard

Which TWO statements about EEM environment variables and their scoping are true? (Choose TWO.)

Select 2 answers
A.Environment variables defined using the 'event manager environment' global configuration command are available to all EEM applets on the device.
B.Variables set within an applet using the 'action set' command are automatically available to other applets running on the same device.
C.The '$_cli_msg' variable, when used with 'event cli', contains the full command line that triggered the event, including any parameters.
D.The '$_event_pub_sec' variable provides the priority and severity of the event that triggered the applet.
E.The '$_syslog_msg' variable is available only when the applet is triggered by a syslog event.
AnswersA, C

Correct. These are global variables that persist across applets and reboots.

Why this answer

EEM environment variables set with 'event manager environment' are global and persist across applets. Variables set with 'action set' are local to the applet. The '$_cli_msg' variable is populated by 'event cli' with the full command line.

The '$_event_pub_sec' variable is not a standard EEM variable. The '$_syslog_msg' variable is available only in syslog-triggered applets.

26
MCQeasy

A network engineer is troubleshooting a router that is sending duplicate SNMP traps for interface state changes. The engineer finds two EEM applets that both trigger on the same syslog pattern 'LINK-3-UPDOWN' and both send SNMP traps. What should the engineer do to resolve the duplicate traps?

A.Disable syslog logging for interface state changes.
B.Remove one of the duplicate EEM applets.
C.Change the SNMP trap destination to a different host for one applet.
D.Increase the SNMP trap queue size.
AnswerB

Correct because removing one applet eliminates the duplicate trap generation.

Why this answer

The duplicate traps are caused by two applets performing the same action. The engineer should remove one of the applets or combine them into one.

27
MCQmedium

Consider the following EEM applet configuration: !--- event manager applet INTERFACE_DOWN event syslog pattern "%LINEPROTO-5-UPDOWN" action 1.0 if $syslog_severity eq 5 action 2.0 cli command "enable" action 3.0 cli command "clear counters" !--- What will happen when a syslog message matching the pattern is generated?

A.The applet will execute the CLI commands only if the syslog severity is exactly 5.
B.The applet will execute the CLI commands unconditionally because the 'if' action is misconfigured.
C.The applet will fail to register because the 'if' action requires an 'else' clause.
D.The applet will clear the counters only for the interface that generated the syslog message.
AnswerB

Correct. Without the 'end' statement, the 'if' block is not properly closed, and the CLI commands will be executed regardless of the condition in many IOS versions.

Why this answer

The applet uses an 'if' action to check the syslog severity. If the severity is 5 (notification), the CLI commands are executed. However, the 'if' action is not closed with an 'end' statement, which is required.

As a result, the applet will encounter a syntax error and may not execute correctly, or the CLI commands may be executed unconditionally depending on the IOS version.

28
MCQmedium

A network engineer is troubleshooting a router that is not sending SNMP traps for a specific interface down event. The engineer has an EEM applet configured to send an SNMP trap when the interface goes down. The applet uses event syslog pattern 'LINK-3-UPDOWN' and action snmp-trap. The interface goes down, but no trap is sent. What is the most likely cause?

A.The syslog pattern 'LINK-3-UPDOWN' is incorrect; the correct pattern is 'LINK-5-CHANGED'.
B.The EEM applet is not registered with the SNMP agent.
C.The SNMP trap action requires an SNMP community string to be specified in the applet.
D.The SNMP trap destination is not configured globally.
AnswerD

Correct because the EEM applet's SNMP trap action sends traps to the configured SNMP trap receivers; if none are configured, the trap is not sent.

Why this answer

The EEM applet is triggered by a syslog message, but the syslog message may not be generated for that specific interface, or the SNMP trap action may require additional configuration such as an SNMP community or target host.

29
MCQmedium

Which EEM event type uses a default polling interval of 60 seconds when no interval is explicitly configured?

A.event syslog
B.event timer
C.event snmp
D.event cli
AnswerC

The default polling interval for SNMP events is 60 seconds.

Why this answer

The 'event snmp' type polls at a default interval of 60 seconds if the 'interval' keyword is omitted.

30
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# debug event manager action syslog EEM Action Syslog debugging is on R1# Mar 1 00:20:45.789: %HA_EM-6-ACTION: applet TRACK-INTERFACE: action syslog msg: 'OSPF adjacency change detected' What does this output indicate?

A.The EEM applet 'TRACK-INTERFACE' executed a syslog action and generated the message 'OSPF adjacency change detected'.
B.The EEM applet 'TRACK-INTERFACE' received a syslog message 'OSPF adjacency change detected'.
C.The debug output shows the configuration of the syslog action for applet 'TRACK-INTERFACE'.
D.The syslog message was generated by the system, not by the EEM applet.
AnswerA

Correct. The debug output shows the applet generating the syslog message.

Why this answer

The debug output shows the execution of syslog actions within an EEM applet. It displays the applet name and the syslog message being generated. This is useful for verifying that syslog actions are working correctly.

31
MCQeasy

Which statement correctly describes the default behavior of the Embedded Event Manager (EEM) when an event occurs and no action is explicitly defined?

A.EEM will generate a syslog message by default.
B.EEM will execute the default action of reloading the device.
C.EEM will take no action and the event is silently ignored.
D.EEM will send an SNMP trap by default.
AnswerC

Without an action configured, EEM does nothing upon event detection.

Why this answer

By default, EEM does not perform any action if none is configured; it simply logs the event occurrence.

32
MCQmedium

Consider the following EEM applet configuration: !--- event manager applet HIGH_CPU event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1 get-type exact entry-op gt entry-val 90 poll-interval 10 action 1.0 syslog msg "CPU utilization exceeded 90%" !--- What is the problem with this configuration?

A.The OID is a scalar, so 'entry-op' and 'entry-val' cannot be used; they are only for table entries.
B.The 'poll-interval' is too short and will cause high CPU usage.
C.The applet will work correctly and generate a syslog message when CPU exceeds 90%.
D.The 'get-type exact' is incorrect; it should be 'get-type next'.
AnswerA

Correct. For scalar OIDs, the 'entry-op' and 'entry-val' are not applicable; the applet should use a different event type or specify the OID correctly.

Why this answer

The 'event snmp oid' command requires a 'get-type' of 'exact' or 'next', but the OID specified is for a specific instance (cpmCPUTotal5sec). However, the OID is not complete; it should include the instance index. Additionally, the 'entry-op' and 'entry-val' are used for table entries, but this OID is a scalar.

The correct approach is to use 'event snmp oid' with a scalar OID and use 'poll-interval' with 'entry-op' and 'entry-val' only for table entries. This configuration may cause the applet to not trigger correctly.

33
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager history applet TRACK-INTERFACE Applet TRACK-INTERFACE: Time Created : Mar 1 00:00:12 2025 Time Last Triggered : Mar 1 00:15:30 2025 Time Last Executed : Mar 1 00:15:30 2025 Trigger Count : 5 Execution Count : 5 Last Event Type : syslog Last Event Detail : OSPF-5-ADJCHG Last Action Executed : show ip route Last Action Result : Success What does this output indicate?

A.The applet 'TRACK-INTERFACE' has been triggered 5 times and executed successfully each time, with the last trigger at 00:15:30.
B.The applet 'TRACK-INTERFACE' has failed to execute 5 times.
C.The applet 'TRACK-INTERFACE' has not been triggered since it was created.
D.The applet 'TRACK-INTERFACE' executed the action 'show ip route' but the output was not captured.
AnswerA

Correct. The trigger count and execution count are both 5, and the last action result is 'Success'.

Why this answer

The output shows the history for a specific EEM applet. It includes creation time, last trigger and execution times, trigger and execution counts, the last event that triggered it, the last action executed, and the result. This helps in determining if the applet is being triggered and executing successfully.

34
Multi-Selecthard

Which TWO statements about EEM applet debugging and verification are correct? (Choose TWO.)

Select 2 answers
A.The command 'show event manager policy available' displays all configured EEM applets on the device.
B.The 'debug event manager action cli' command enables debugging output for CLI actions executed by EEM applets.
C.The 'show event manager history events' command displays a log of recent events that have triggered applets.
D.The 'show event manager policy active' command shows all applets that are currently running or have run recently.
E.The 'show event manager applet' command is not a valid IOS command.
AnswersB, C

Correct. This debug command shows the CLI commands being executed by applet actions.

Why this answer

'show event manager policy available' lists registered Tcl policies, not applets. 'debug event manager action cli' debugs CLI actions. 'show event manager history events' shows recent event occurrences. 'show event manager policy active' shows running policies. 'show event manager applet' is a valid command.

35
Multi-Selecthard

Which TWO statements about EEM applet actions and their behavior are correct? (Choose TWO.)

Select 2 answers
A.The 'action cli command' can execute any EXEC mode command, including 'show' commands and 'ping'.
B.The 'action syslog' command sends a syslog message with a default facility of local7 and severity of informational.
C.The 'action snmp-trap' command can send an SNMP trap without any additional configuration if the device has an SNMP community set.
D.The 'action mail' command can be used to send an email notification from an EEM applet.
E.The 'action cli command' can be used to enter global configuration mode and execute configuration commands directly.
AnswersA, B

Correct. 'action cli command' can execute any valid EXEC command.

Why this answer

'action cli command' can run any exec command. 'action syslog' sends a syslog message with facility local7 by default. 'action snmp-trap' requires an SNMP community. 'action mail' is not supported in EEM. 'action cli command' cannot run config commands directly without entering config mode.

36
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager policy registered No. Class Type Version Time Created Name 1 applet system 1.0 Mar 1 00:00:12 2025 TRACK-INTERFACE 2 applet system 1.0 Mar 1 00:00:15 2025 BGP-RESET 3 applet user 1.0 Mar 1 00:02:30 2025 LOG-ERROR What does this output indicate?

A.Three EEM applets are registered, including two system-defined and one user-defined.
B.Three EEM applets are registered, all user-defined.
C.Three EEM applets are registered, all system-defined.
D.The output shows the EEM applets that are currently executing.
AnswerA

Correct. The output shows two applets with class 'system' (TRACK-INTERFACE and BGP-RESET) and one with class 'user' (LOG-ERROR).

Why this answer

The output shows three registered EEM applets. The 'Class' column indicates whether the applet is system-defined or user-defined. 'Type' is always 'applet' for EEM applets. 'Time Created' shows when the applet was registered. The 'Name' is the applet name.

This output confirms that the applets are registered and available for execution.

37
MCQhard

A network engineer configures an EEM applet to monitor IPsec tunnel failures using the event syslog pattern 'IPSEC-3-IPSEC'. The applet is designed to clear the IPsec security associations. The IPsec tunnel fails due to a transform-set mismatch, but the EEM applet does not trigger. Which is the most likely explanation?

A.Transform-set mismatch generates an IPSEC syslog with severity 4, not severity 3.
B.The EEM applet must use 'event isakmp' to capture IPsec events.
C.The IPsec tunnel failure is not logged because the router drops the packet silently.
D.The transform-set mismatch causes a routing loop that suppresses syslog generation.
AnswerA

Correct. The syslog for transform-set mismatch is severity 4, so the pattern 'IPSEC-3-IPSEC' does not match.

Why this answer

When an IPsec tunnel fails due to a transform-set mismatch, the IKE phase 2 negotiation fails, and the syslog message generated is typically 'IPSEC-4-IPSEC' (severity 4) or 'ISAKMP-4-ISAKMP' (severity 4) depending on the IOS version. The pattern 'IPSEC-3-IPSEC' is for severity 3 errors, which are used for more critical events like SA lifetime expiration or hardware failures. The transform-set mismatch is a negotiation failure, not a critical error, so the syslog severity is lower (4), and the EEM applet does not match.

38
MCQeasy

Which EEM action type is used to modify the configuration of the device?

A.action syslog
B.action cli
C.action snmp-trap
D.action mail
AnswerB

The 'action cli' command executes IOS commands, enabling configuration modifications.

Why this answer

The 'action cli' command allows executing Cisco IOS commands, including configuration changes.

39
MCQhard

A network engineer runs the following command on Router R1: R1# show event manager history events Event History: No. Time Type Name 1 00:01:30 UTC Mar 1 syslog EIGRP_Neighbor_Down 2 00:01:31 UTC Mar 1 syslog OSPF_Neighbor_Flap 3 00:01:32 UTC Mar 1 syslog EIGRP_Neighbor_Down 4 00:01:33 UTC Mar 1 syslog OSPF_Neighbor_Flap Based on this output, what is the most likely problem?

A.The EEM policies are not configured correctly.
B.The router is experiencing network instability causing repeated neighbor state changes.
C.The EEM applet policies are disabled.
D.The syslog server is not reachable.
AnswerB

The repeated events within seconds indicate flapping, likely due to link issues or routing problems.

Why this answer

The 'show event manager history events' command shows the last triggered events. The output shows repeated syslog events for EIGRP neighbor down and OSPF neighbor flap within a short timeframe, indicating a flapping condition. The correct answer is that the router is experiencing network instability causing repeated neighbor state changes.

40
MCQhard

A network engineer configures EEM to monitor CPU usage on R1. R1 has: event manager applet CPU-MONITOR event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.7.1 get-type exact entry-op gt entry-val 80 poll-interval 5 action 1.0 cli command "enable" action 2.0 cli command "show processes cpu sorted" action 3.0 syslog msg "High CPU usage detected". After a few hours, the engineer notices that the applet triggers repeatedly, but the show command output is truncated. Router R2 shows: no issues. What is the root cause?

A.The EEM applet runs too frequently (every 5 seconds), consuming CPU and causing output truncation.
B.The SNMP OID is for 5-second CPU, not 1-minute average, causing false positives.
C.The 'show processes cpu sorted' command requires a terminal length setting.
D.The applet should use 'event manager applet CPU-MONITOR trigger' to start.
AnswerA

Frequent execution of the show command increases CPU load, worsening the condition.

Why this answer

The EEM applet triggers every 5 seconds when CPU exceeds 80%, and each execution runs the show command, which itself consumes CPU. This can create a feedback loop where the applet increases CPU usage, causing more triggers. Additionally, the show command output may be truncated if the applet runs too frequently or the buffer is insufficient.

The correct fix is to increase the poll interval or add a throttle.

41
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager history events Event History: Event Type : syslog Time : Mar 1 00:05:23 Pattern : OSPF-5-ADJCHG Trigger count : 1 Event Type : timer Time : Mar 1 00:06:00 Timer Type : absolute Timer Name : MY-TIMER Trigger count : 1 What does this output indicate?

A.Two events have triggered EEM applets: a syslog event matching 'OSPF-5-ADJCHG' and an absolute timer named 'MY-TIMER'.
B.Two EEM applets are currently registered: one for syslog and one for timer.
C.The OSPF-5-ADJCHG syslog event triggered an applet that executed a timer.
D.The timer event is a countdown timer that triggered after 5 minutes and 23 seconds.
AnswerA

Correct. The output shows two events: one syslog event with pattern OSPF-5-ADJCHG triggered once, and one absolute timer named MY-TIMER triggered once.

Why this answer

The output shows the event history for EEM. It lists events that have triggered EEM applets. Each entry shows the event type (syslog, timer, etc.), the time it occurred, specific details (pattern for syslog, timer type and name for timer), and the number of times that event triggered an applet.

This helps in troubleshooting which events are being matched.

42
MCQhard

A network engineer configures an EEM applet to monitor redistribution events using the event syslog pattern 'IP-4-ROUTING'. The applet is intended to log when a route is redistributed from OSPF into EIGRP. The redistribution is configured without a seed metric for EIGRP, and the route is not redistributed. The EEM applet does not trigger. Which is the most likely explanation?

A.Redistribution into EIGRP without a seed metric fails silently, and no syslog message is generated.
B.The EEM applet must use 'event routing' to capture redistribution events.
C.The syslog pattern 'IP-4-ROUTING' is incorrect; it should be 'IP-5-ROUTING'.
D.The redistribution is blocked by route tagging, preventing the syslog.
AnswerA

Correct. EIGRP requires a seed metric; without it, the route is not redistributed and no syslog is generated.

Why this answer

When redistributing routes into EIGRP without a seed metric, the redistribution fails silently—no syslog message is generated. The EIGRP process drops the redistributed route because the default metric is not set. The 'IP-4-ROUTING' syslog message is only generated when a routing table change occurs due to redistribution, but since the route is not installed, no syslog is produced.

The EEM applet will not trigger because there is no matching syslog event.

43
MCQeasy

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 EIGRP_Neighbor_Down R1# show event manager history events Event History: No. Time Type Name 1 00:01:30 UTC Mar 1 syslog EIGRP_Neighbor_Down Based on this output, which statement is correct?

A.The EIGRP neighbor down event has occurred once.
B.The EIGRP neighbor is currently down.
C.The EEM policy is disabled.
D.The EIGRP neighbor is flapping.
AnswerA

The event history shows a single entry for EIGRP_Neighbor_Down.

Why this answer

The output shows one registered EEM applet policy and one triggered event. The correct answer is that the EIGRP neighbor down event has occurred once.

44
MCQmedium

What is the default timer value for the EEM environment variable 'timer watchdog'?

A.30 seconds
B.60 seconds
C.120 seconds
D.180 seconds
AnswerB

The default watchdog timer is 60 seconds, configurable via 'event timer watchdog'.

Why this answer

The default watchdog timer is 60 seconds; it monitors the EEM policy execution and resets if exceeded.

45
MCQhard

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 BGP_Neighbor_Down R1# show bgp neighbors 192.168.1.2 BGP neighbor is 192.168.1.2, remote AS 65002, external link BGP version 4, remote router ID 10.0.0.2 BGP state = Idle Last read 00:00:05, hold time is 180, keepalive interval is 60 seconds Neighbor sessions: 1 active, is not multisession capable Based on this output, what is the most likely conclusion?

A.The BGP neighbor is up and running.
B.The BGP neighbor is down, and the EEM policy may have been triggered.
C.The EEM policy is not registered.
D.The BGP session is established.
AnswerB

The Idle state indicates the session is down, which would likely trigger the BGP_Neighbor_Down event.

Why this answer

The EEM policy BGP_Neighbor_Down is registered, and the BGP neighbor is in Idle state, indicating the session is down. The correct answer is that the BGP neighbor is down, and the EEM policy may have been triggered.

46
MCQmedium

A network engineer is troubleshooting a router that is experiencing intermittent packet loss. The engineer checks the logs and sees that an EEM applet is being triggered frequently. The applet is configured to run a script that modifies the routing table. The engineer suspects the applet is causing the packet loss. What should the engineer do to verify the root cause?

A.Check the EEM applet's script for errors.
B.Use the 'show event manager statistics' command to see how often the applet is triggered.
C.Temporarily disable the EEM applet and monitor the packet loss.
D.Increase the logging level to debug to see more details.
AnswerC

Correct because disabling the applet and observing if packet loss stops confirms the applet as the cause.

Why this answer

To verify if the EEM applet is causing the packet loss, the engineer should temporarily disable the applet and monitor the network for any improvement in packet loss.

47
MCQhard

An engineer configures an EEM applet to monitor DMVPN tunnel events using the event syslog pattern 'NHRP-3-REGISTRATION'. The applet is supposed to send an email when a spoke registers with the NHS. The DMVPN network uses Phase 2 with spoke-to-spoke tunnels. A spoke registers successfully, but the EEM applet does not trigger. Which is the most likely explanation?

A.Successful NHRP registration generates a syslog message with severity 6 (informational), not severity 3 (error).
B.The EEM applet must be configured with 'event nhrp' to capture NHRP events.
C.The DMVPN Phase 2 does not generate syslog messages for spoke registration.
D.The NHS must be configured with 'ip nhrp registration no-syslog' to suppress messages.
AnswerA

Correct. The pattern 'NHRP-3-REGISTRATION' is for errors; successful registration uses 'NHRP-6-REGISTRATION'.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels are established dynamically, but the NHRP registration event generates a syslog message only when the spoke registers with the NHS. However, the syslog pattern 'NHRP-3-REGISTRATION' is for error-level messages, while successful registration generates an informational message (NHRP-6-REGISTRATION). The EEM applet is looking for severity level 3, but the actual syslog is severity level 6, so the pattern does not match.

48
Multi-Selecthard

Which THREE symptoms indicate that an Embedded Event Manager (EEM) applet configured to send a syslog message upon interface down has failed to execute? (Choose THREE.)

Select 3 answers
A.No custom syslog message appears on the console or in the log buffer when the interface goes down.
B.The 'show event manager history events' output does not include an entry for the interface down event.
C.The 'show event manager policy active' output shows the applet with a non-zero 'fail count' field.
D.The interface goes down and the router generates a default syslog message like '%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down'.
E.The 'show event manager environment' output shows the variable '_event_type' as 'none'.
AnswersA, B, C

The applet is designed to generate a syslog; its absence suggests the applet did not execute.

Why this answer

If the applet fails, no custom syslog is generated, the 'show event manager history events' will not show the trigger, and the 'show event manager policy active' may show the policy but with a non-zero failure count. The other options either describe normal behavior or unrelated issues.

49
MCQhard

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 EIGRP_Neighbor_Down R1# show ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.2 Gi0/0 13 00:02:00 40 200 0 5 Based on this output, what is the most likely problem?

A.The EIGRP neighbor is down.
B.The EEM policy has been triggered.
C.The EIGRP neighbor is up, and the EEM policy is ready to trigger if it goes down.
D.The EEM policy is misconfigured.
AnswerC

The neighbor is operational, so the down event has not occurred.

Why this answer

The EEM policy EIGRP_Neighbor_Down is registered, but the EIGRP neighbor is present with an uptime of 2 minutes. The correct answer is that the EEM policy has not been triggered because the neighbor is up; however, the policy is ready to act if the neighbor goes down.

50
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 OSPF_Neighbor_Down R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:36 192.168.1.2 GigabitEthernet0/0 Based on this output, what is the most likely conclusion?

A.The OSPF neighbor is down.
B.The EEM policy has been triggered.
C.The EEM policy is registered but not yet triggered because the OSPF neighbor is up.
D.The EEM policy is misconfigured.
AnswerC

The neighbor state FULL shows the neighbor is operational, so the down event has not occurred.

Why this answer

The EEM policy OSPF_Neighbor_Down is registered, but the OSPF neighbor is in FULL state. The correct answer is that the EEM policy has not been triggered because the OSPF neighbor is up.

51
MCQhard

A network engineer configures EEM to monitor routing table changes on R1. R1 has: event manager applet ROUTE-MONITOR event syslog pattern "%ROUTING-5-ROUTECHANGE" action 1.0 cli command "enable" action 2.0 cli command "show ip route" action 3.0 syslog msg "Routing table changed". After a route update, the engineer notices that the applet runs but the show ip route output does not reflect the change. Router R2 shows: the route is present in the routing table. What is the root cause?

A.The syslog message is generated before the routing table is updated, so the show command shows the old table.
B.The syslog pattern is incorrect; it should be %ROUTING-5-ROUTECHANGED.
C.The routing protocol is not fully converged due to a hold-down timer.
D.The 'show ip route' command is not executed in privileged mode.
AnswerA

The applet executes before the routing table change is committed; a delay is needed.

Why this answer

The syslog message %ROUTING-5-ROUTECHANGE is generated before the routing table is fully updated. The EEM applet runs immediately, capturing the routing table before the change is applied. The correct fix is to add a delay using 'action wait' to allow the routing table to converge.

52
MCQhard

A large enterprise network is experiencing intermittent BGP session resets between R1 and R2. R1 has the following relevant configuration: event manager applet BGP-MONITOR event syslog pattern "%BGP-3-NOTIFICATION" action 1.0 cli command "enable" action 2.0 cli command "clear ip bgp *" action 3.0 syslog msg "BGP session cleared by EEM". Router R2 shows: BGP neighbor 10.1.1.1 has been up for 0:00:05, state Established. What is the root cause?

A.The EEM applet is triggered by the BGP notification and clears all BGP sessions, causing a reset loop.
B.The BGP keepalive timer is set too low on R1.
C.The syslog pattern is incorrect and matches unrelated messages.
D.There is an MTU mismatch between R1 and R2.
AnswerA

The applet clears all BGP sessions upon any BGP notification, which exacerbates the issue.

Why this answer

The EEM applet triggers on any BGP notification syslog and then executes a clear ip bgp * command, which resets all BGP sessions. This creates a loop: a BGP notification causes a clear, which causes more notifications, leading to persistent flapping. The correct fix is to make the applet more specific or avoid clearing all sessions.

53
MCQmedium

Examine the following EEM applet configuration: !--- event manager applet BACKUP_CONFIG event timer watchdog time 86400 action 1.0 cli command "enable" action 2.0 cli command "copy running-config tftp://192.168.1.100/backup.cfg" !--- What is the effect of this configuration?

A.The applet will copy the running configuration to the TFTP server every 24 hours.
B.The applet will copy the startup configuration instead of the running configuration.
C.The applet will fail because the TFTP server IP address is not reachable.
D.The applet will only trigger once because the watchdog timer is a one-shot timer.
AnswerA

Correct. The watchdog timer triggers the applet every 86400 seconds, and the CLI command copies the running config to the TFTP server.

Why this answer

The applet uses a watchdog timer event that triggers every 86400 seconds (24 hours). When triggered, it copies the running configuration to a TFTP server. This is a valid configuration for periodic backup.

54
MCQmedium

A network engineer is troubleshooting a router that is experiencing high CPU utilization. The engineer checks the process list and sees that the 'EEM Server' process is consuming a significant amount of CPU. The engineer reviews the EEM configuration and finds multiple applets that are triggered by syslog events. What should the engineer do first to reduce CPU utilization?

A.Disable all EEM applets.
B.Use the 'show event manager statistics' command to see which applets are triggered most often.
C.Increase the router's CPU priority for the EEM process.
D.Change the syslog trigger to use a less frequent pattern.
AnswerB

Correct because this command provides per-applet trigger counts, helping pinpoint the culprit.

Why this answer

High CPU from EEM is often due to excessive syslog triggers. The engineer should first identify which applets are being triggered most frequently and either optimize their conditions or reduce the number of applets.

55
MCQeasy

What is the default behavior of an EEM applet when a 'set' action modifies a variable that is used in a subsequent 'if' condition?

A.The variable is evaluated at the start of the applet, so the 'if' condition uses the original value.
B.The variable is evaluated at the time the 'if' condition is executed, so it uses the updated value.
C.The 'set' action cannot modify a variable that is used in an 'if' condition.
D.The applet will fail if a variable is modified after being used in an 'if' condition.
AnswerB

Correct. EEM actions are executed sequentially, so the 'if' condition uses the current value of the variable.

Why this answer

EEM applets execute actions sequentially. If a 'set' action modifies a variable, that new value is used in any subsequent 'if' condition that references the same variable. Variables are not pre-evaluated; they are evaluated at the time the action is executed.

56
MCQhard

A network engineer configures EEM to monitor memory usage on R1. R1 has: event manager applet MEM-MONITOR event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact entry-op gt entry-val 90 poll-interval 10 action 1.0 cli command "enable" action 2.0 cli command "show processes memory" action 3.0 syslog msg "High memory usage detected". After a few days, the engineer notices that the applet never triggers, even though memory usage exceeds 90%. Router R2 shows: memory usage is at 95%, but no syslog from EEM. What is the root cause?

A.The SNMP OID is for free memory, and the condition checks if free memory is greater than 90%, which is not met when memory is low.
B.The poll-interval of 10 seconds is too short and causes the applet to be suppressed.
C.The SNMP community string is not configured, so the OID cannot be polled.
D.The applet requires 'event manager applet MEM-MONITOR trigger' to start.
AnswerA

The OID returns free memory; the applet triggers only when free memory >90%, which never happens when memory is high.

Why this answer

The SNMP OID used (1.3.6.1.4.1.9.9.48.1.1.1.6.1) is for the free memory, not used memory. The applet checks if free memory is greater than 90%, which is false when memory is low. The correct OID should be for used memory or the comparison operator should be 'lt' for free memory below 10%.

57
MCQeasy

What is the maximum number of actions that can be configured in a single EEM applet?

A.128
B.255
C.512
D.Unlimited
AnswerB

Correct. The maximum number of actions in an EEM applet is 255.

Why this answer

The maximum number of actions in an EEM applet is 255. This is a hard limit in Cisco IOS. If more actions are needed, multiple applets must be used.

58
MCQmedium

Examine the following EEM applet configuration: !--- event manager applet LOGIN_ALERT event syslog occurs 1 period 60 action 1.0 syslog msg "Login event detected" !--- What is the problem with this configuration?

A.The 'event syslog occurs' command is missing the required 'pattern' keyword.
B.The period of 60 seconds is too short and will cause high CPU usage.
C.The 'syslog msg' action cannot be used in the same applet as 'event syslog occurs'.
D.The applet will trigger on every syslog message, which is not the intended behavior.
AnswerA

Correct. The event must specify a pattern to match; otherwise, the applet will not trigger.

Why this answer

The 'event syslog occurs' command requires a pattern to match against syslog messages. Without a pattern, the applet will never trigger because the event is not properly defined. The correct syntax is 'event syslog pattern <string> occurs <number> period <seconds>'.

59
MCQhard

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager detector Detector Name : syslog Detector Type : system Detector State : enabled Detector Queue Size : 100 Detector Queue Max : 200 Detector Events Triggered : 15 Detector Name : timer Detector Type : system Detector State : enabled Detector Queue Size : 0 Detector Queue Max : 50 Detector Events Triggered : 3 What does this output indicate?

A.Both syslog and timer detectors are enabled. The syslog detector has triggered 15 events and has 100 events in its queue.
B.The syslog detector is disabled and needs to be enabled for EEM to work.
C.The timer detector has triggered 3 events and has 50 events in its queue.
D.The queue size of 100 for syslog indicates that 100 events have been dropped.
AnswerA

Correct. The syslog detector is enabled, has triggered 15 events, and has a queue size of 100 (pending events).

Why this answer

The output shows the status of EEM detectors. Detectors are components that monitor for specific events (syslog, timer, etc.). The output shows each detector's state (enabled/disabled), queue size and maximum, and the number of events triggered.

Queue size indicates pending events waiting to be processed.

60
MCQhard

Which statement correctly describes the default value of the 'event timer countdown' when no countdown time is specified?

A.The default countdown time is 60 seconds.
B.The default countdown time is 0 seconds, causing immediate trigger.
C.There is no default; a countdown time must be explicitly configured.
D.The default countdown time is 10 seconds.
AnswerC

The countdown timer requires the 'time' keyword; otherwise, the CLI rejects the command.

Why this answer

The 'event timer countdown' requires an explicit time value; there is no default — the configuration will be rejected if omitted.

61
MCQhard

An engineer configures an EEM applet to react to BGP prefix changes using the event syslog pattern 'BGP-5-ADJCHANGE'. The applet sends a custom SNMP trap. The BGP session between two routers is established, but when a route is withdrawn due to next-hop-self requirement for iBGP, the EEM applet does not trigger. Which is the most likely explanation?

A.The BGP-5-ADJCHANGE syslog is only generated for session state changes, not for individual route updates.
B.The EEM applet must be configured with 'event bgp' to monitor BGP prefix changes.
C.The next-hop-self requirement causes a BGP notification that generates a different syslog pattern.
D.The EEM applet requires the 'event manager directory' to be set for SNMP traps.
AnswerA

Correct. The syslog message is only for session state transitions, not for prefix changes.

Why this answer

The BGP-5-ADJCHANGE syslog message is generated only when the BGP session state changes (e.g., from Established to Idle or vice versa). It is not generated for individual prefix updates or withdrawals. When a route is withdrawn due to next-hop-self requirement, the BGP session remains established, so no ADJCHANGE event occurs.

The EEM applet will not trigger because the syslog pattern does not match any generated message.

62
MCQhard

A DMVPN network is experiencing spoke-to-spoke tunnel failures. R1 (hub) has: event manager applet DMVPN-TRIGGER event syslog pattern "%DMVPN-5-UP" action 1.0 cli command "enable" action 2.0 cli command "clear crypto sa" action 3.0 syslog msg "Cleared crypto SAs". Router R2 (spoke) shows: DMVPN tunnel is up, but IPsec SAs are renegotiating frequently. What is the root cause?

A.The EEM applet clears all crypto SAs whenever a DMVPN tunnel comes up, disrupting existing SAs.
B.The DMVPN tunnel is misconfigured with mismatched IPsec profiles.
C.The spoke router has an incorrect NHRP mapping.
D.The hub router has a routing protocol issue preventing spoke-to-spoke routes.
AnswerA

Clearing all crypto SAs forces renegotiation, causing spoke-to-spoke failures.

Why this answer

The EEM applet triggers on any DMVPN tunnel UP event and clears all crypto security associations (SAs). This forces renegotiation of IPsec SAs for all tunnels, causing temporary loss of spoke-to-spoke connectivity. The correct fix is to clear only specific SAs or avoid clearing them on DMVPN UP events.

63
MCQhard

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager environment all No. Variable Name Value 1 _exit_status 1 2 _event_type syslog 3 _syslog_msg %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.2 on GigabitEthernet0/0 from LOADING to FULL, Loading Done 4 _syslog_severity 5 5 _syslog_facility OSPF 6 _syslog_mnemonic ADJCHG What does this output indicate?

A.The environment variables show that a syslog event with mnemonic ADJCHG triggered, and the applet can use these variables in actions.
B.The environment variables are configured manually by the engineer to define the applet behavior.
C.The output shows the current state of all EEM applets and their variables.
D.The _exit_status variable indicates the applet failed to execute.
AnswerA

Correct. The variables show the event details, and applets can reference them using $_syslog_msg, etc.

Why this answer

The output shows the EEM environment variables that are set when an event triggers an applet. These variables contain information about the event, such as the event type, syslog message details, and exit status. This is useful for debugging applets that use these variables in their actions.

64
Multi-Selectmedium

Which TWO commands can be used to troubleshoot an Embedded Event Manager (EEM) applet that is not triggering as expected? (Choose TWO.)

Select 2 answers
A.debug event manager action all
B.show event manager detector all
C.show event manager policy registered
D.show event manager environment all
E.debug event manager all
AnswersA, B

This enables debugging for all EEM actions, showing detailed output when actions run, which helps identify if the applet is executing and what actions are performed.

Why this answer

The 'debug event manager action all' command provides detailed logs of EEM actions, while 'show event manager detector all' shows the status of all EEM detectors (including whether they are registered). The other options are either not valid or not useful for troubleshooting trigger issues.

65
MCQhard

A network engineer is troubleshooting a router that is not executing an EEM applet that is supposed to run when a specific interface goes down. The applet is configured with event syslog pattern 'LINK-3-UPDOWN' and matches the interface with a regex. The engineer checks the syslog and sees the message 'LINK-3-UPDOWN: GigabitEthernet0/1, changed state to down' but the applet does not run. What is the most likely cause?

A.The EEM applet is disabled.
B.The syslog message is not being sent to the EEM server due to logging level restrictions.
C.The regex pattern in the applet does not match the syslog message.
D.The interface is not being monitored because it is a subinterface.
AnswerC

Correct because a mismatch in the regex pattern is a common cause for an applet not triggering.

Why this answer

The EEM applet may have a regex that does not match the actual syslog message format. The engineer should verify the regex pattern using 'show event manager policy' or test the pattern.

66
MCQhard

A network engineer configures an EEM applet to monitor EIGRP stuck-in-active (SIA) events using the event syslog pattern 'EIGRP-3-SIA'. The applet is designed to clear the EIGRP neighbor. The EIGRP network has a unidirectional link that causes a route to go active, but the EEM applet does not trigger. Which is the most likely explanation?

A.The EIGRP SIA syslog message is only generated when the SIA timer expires, but a unidirectional link may prevent the query from being sent, so the timer never starts.
B.The EEM applet must use 'event eigrp' instead of 'event syslog' to catch EIGRP events.
C.The EIGRP process must be restarted for the EEM applet to take effect.
D.The unidirectional link causes a routing loop that suppresses syslog generation.
AnswerA

Correct. If the unidirectional link prevents query transmission, the SIA timer is not triggered, and no syslog is generated.

Why this answer

EIGRP SIA events generate syslog messages only when the SIA timer expires (default 3 minutes). If the unidirectional link causes the route to go active but the query propagation is blocked or the neighbor is not reachable, the SIA timer may not start because the router does not receive a reply from the neighbor. In some cases, the route may remain active indefinitely without generating an SIA syslog if the query is not sent due to the unidirectional link.

The EEM applet requires the specific 'EIGRP-3-SIA' syslog pattern, which is only generated when the SIA timer actually expires.

67
MCQhard

What is the default maximum recursion depth for EEM Tcl policies?

A.10
B.50
C.100
D.Unlimited
AnswerC

The default recursion limit for Tcl policies is 100.

Why this answer

EEM limits Tcl policy recursion to 100 levels by default to prevent infinite loops.

68
MCQhard

A service provider network is experiencing MPLS label distribution failures between R1 and R2. R1 has: event manager applet LDP-MONITOR event syslog pattern "%LDP-4-ERROR" action 1.0 cli command "enable" action 2.0 cli command "clear mpls ldp neighbor *" action 3.0 syslog msg "Cleared LDP neighbors". Router R2 shows: LDP session is down, and logs show repeated LDP errors. What is the root cause?

A.The EEM applet clears all LDP neighbors upon any LDP error, preventing the session from stabilizing.
B.The LDP router-id is misconfigured on R1.
C.The syslog pattern matches only severity 4, but LDP errors are severity 3.
D.The MPLS label range is exhausted on R1.
AnswerA

Clearing all LDP neighbors disrupts all LDP sessions, causing repeated errors.

Why this answer

The EEM applet triggers on any LDP error and clears all LDP neighbors. This removes the LDP session, causing more errors when the session tries to re-establish, leading to a cycle of failures. The correct fix is to clear only the affected neighbor or address the underlying LDP issue.

69
MCQmedium

A network engineer runs the following command to troubleshoot an EEM issue: R1# show event manager policy configuration TRACK-INTERFACE Applet TRACK-INTERFACE event syslog pattern "OSPF-5-ADJCHG" action 1.0 cli command "show ip route" action 2.0 cli command "show ip ospf neighbor" action 3.0 syslog msg "OSPF adjacency change detected" What does this output indicate?

A.The applet 'TRACK-INTERFACE' is configured to trigger on syslog message 'OSPF-5-ADJCHG' and execute three actions in order: show ip route, show ip ospf neighbor, and send a syslog message.
B.The applet 'TRACK-INTERFACE' is currently executing and has run the first two actions.
C.The applet 'TRACK-INTERFACE' has a syntax error because the actions are not numbered correctly.
D.The applet 'TRACK-INTERFACE' will only execute the first action because the others are commented out.
AnswerA

Correct. The output shows the event and three actions with step numbers indicating order.

Why this answer

The output shows the configuration of a specific EEM applet. It displays the event trigger and the actions in order. Each action has a step number (e.g., 1.0) that determines the order of execution.

This is useful for verifying the applet configuration.

70
MCQhard

A network engineer is troubleshooting a router that is not generating any EEM applet actions even though the applets are configured and enabled. The engineer checks the 'show event manager status' command and sees that the EEM server is running. The engineer also checks the syslog and sees that the trigger events are occurring. What is the most likely cause?

A.The EEM applets are not registered due to a syntax error in the configuration.
B.The EEM server is not listening for syslog events.
C.The router's logging level is set to emergencies only.
D.The EEM applets are configured with 'event none' and need manual triggering.
AnswerA

Correct because a syntax error prevents the applet from being registered, even if the EEM server is running.

Why this answer

Even if the EEM server is running, the applets may not be registered if they have syntax errors or if the 'event manager applet' command is missing. The engineer should use 'show event manager policy available' or 'show event manager policy registered' to verify if the applets are registered.

71
MCQmedium

A network engineer runs the following command on Router R1: R1# show event manager policy registered No. Type Time Created Name 1 applet 00:01:23 UTC Mar 1 2025 BGP_Session_Reset R1# show event manager history events Event History: No. Time Type Name 1 00:02:00 UTC Mar 1 syslog BGP_Session_Reset 2 00:02:05 UTC Mar 1 syslog BGP_Session_Reset 3 00:02:10 UTC Mar 1 syslog BGP_Session_Reset Based on this output, which statement is correct?

A.The BGP session reset event has occurred three times.
B.The EEM policy is not triggering any events.
C.The BGP session is stable.
D.The EEM policy is disabled.
AnswerA

The event history shows three entries for BGP_Session_Reset, each at different times.

Why this answer

The output shows one registered EEM applet policy named BGP_Session_Reset, and three triggered syslog events for that policy. The correct answer is that the BGP session reset event has occurred multiple times, indicating a persistent issue.

72
Multi-Selecthard

Which TWO configuration steps are required to enable an Embedded Event Manager (EEM) applet that sends an SNMP trap when a specific OID is polled? (Choose TWO.)

Select 2 answers
A.Configure 'event snmp oid 1.3.6.1.4.1.9.9.117.1.1.2.1.1 get-type exact' within the applet.
B.Ensure the 'snmp-server enable traps' command is configured globally.
C.Configure 'event syslog pattern "SNMP"' to capture the SNMP poll.
D.Configure an SNMP community string with read-write access inside the applet using 'action snmp-community'.
E.Configure 'event cli command "snmpwalk" sync yes' to trigger on SNMP walks.
AnswersA, B

This defines the SNMP event trigger, specifying the OID to monitor and the type of access (exact match) that will fire the applet.

Why this answer

To trigger an EEM applet on an SNMP OID poll, you must configure the 'event snmp oid' command and ensure SNMP is enabled globally. The other options are either unnecessary (like configuring a community for the applet itself) or incorrect (like using 'event syslog' or 'event cli').

73
Multi-Selecthard

An engineer wants to use EEM to automatically back up the running configuration to a TFTP server whenever a 'write memory' command is executed. Which TWO configuration steps are required? (Choose TWO.)

Select 2 answers
A.Configure 'event cli pattern "write memory" sync no' under the applet.
B.Use 'action cli command "copy running-config tftp://10.1.1.1/backup-config"' to perform the backup.
C.Define the applet using the 'event manager policy' command instead of 'event manager applet'.
D.Add an 'event syslog pattern "WRITE"' to detect the write memory operation.
E.Include an 'action cli command "enable"' before the copy command to ensure privileged access.
AnswersA, B

Correct. This event triggers on the 'write memory' command without synchronizing, allowing the backup to proceed asynchronously.

Why this answer

The 'event cli' with 'sync no' is needed to avoid blocking the CLI. The 'action cli command' must use the 'copy running-config tftp:' command. The 'event manager applet' is correct, not 'event manager policy'.

The 'event syslog' with pattern 'WRITE' is not precise enough. The 'action cli command' should not use 'enable' as a separate action because the applet runs in the same privilege level as the triggering user.

74
MCQeasy

Which of the following EEM event types can be used to trigger an applet based on a specific IOS command being entered?

A.event syslog
B.event snmp
C.event cli
D.event timer
AnswerC

Correct. 'event cli' is used to trigger on CLI commands.

Why this answer

EEM provides the 'event cli' event type to match on CLI commands. The syntax is 'event cli pattern <string>' where the pattern can be a regular expression to match the command. Other event types like 'event syslog' match syslog messages, not CLI commands.

75
MCQmedium

Consider the following EEM applet configuration: !--- event manager applet CHECK_OSPF event syslog pattern "OSPF-5-ADJCHG" action 1.0 cli command "enable" action 2.0 cli command "show ip ospf neighbor" action 3.0 mail server "smtp.example.com" to "admin@example.com" from "router@example.com" subject "OSPF Adjacency Change" body "An OSPF adjacency change has been detected." !--- What is the effect of this configuration?

A.The applet will send an email to the administrator whenever an OSPF adjacency change occurs.
B.The applet will only execute the CLI commands and will not send an email because the mail server is not configured globally.
C.The applet will fail because the 'event syslog pattern' must be configured with a regular expression.
D.The applet will send the email only after the CLI commands complete, but the output of those commands is not included in the email.
AnswerA

Correct. The applet triggers on the OSPF adjacency change syslog message and sends an email with the specified details.

Why this answer

The EEM applet triggers on a syslog message matching the pattern "OSPF-5-ADJCHG". When triggered, it sends an email notification to the administrator. The 'cli command' actions are executed but their output is not used; the email is sent regardless.

The applet does not require any additional configuration to send the email, provided the mail server is reachable.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Embedded Event Manager questions.