EEM Applet Not Triggering on Expected Syslog Event
Presenting Symptom
An EEM applet configured to trigger on a specific syslog message does not execute when the expected event occurs.
Network Context
The network is a small branch office with a single Cisco ISR 4331 router running IOS XE 16.9. The router is configured with an EEM applet intended to send an SNMP trap when an interface goes down. The applet is set to trigger on the syslog pattern 'INTERFACE_DOWN'. The interface flapping is observed, but no trap is sent.
Diagnostic Steps
Check EEM applet configuration
show running-config | section event manager appletevent manager applet INTERFACE_DOWN_TRAP event syslog pattern "INTERFACE_DOWN" action 1.0 snmp-trap intf1
Verify the applet is configured with the correct event trigger and action. Look for any typos in the syslog pattern or missing action commands.
Verify EEM applet is registered
show event manager policy registeredNo. Type Time Created Name 1 applet 00:00:05 INTERFACE_DOWN_TRAP
Ensure the applet appears in the registered list. If not, the applet may have failed to register due to syntax errors.
Check syslog generation for the event
show logging | include INTERFACE_DOWN*Mar 1 00:01:23.456: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down *Mar 1 00:01:23.456: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
Confirm that the syslog message containing 'INTERFACE_DOWN' is actually generated. If not, the event never occurs.
Enable EEM debugging to see if applet triggers
debug event manager action cliEEM: Action cli: executing... EEM: Action cli: completed
If no debug output appears when the interface goes down, the applet is not triggering. This indicates the event pattern does not match the syslog message.
Root Cause
The EEM applet's event syslog pattern does not match the actual syslog message. The pattern 'INTERFACE_DOWN' is not present in the syslog message; the actual message contains 'UPDOWN' and 'changed state to down'. The pattern must match a substring of the syslog message exactly.
Resolution
Verification
After applying the fix, trigger the interface down event again and verify: ``` show event manager policy registered show logging | include UPDOWN ``` Expected output shows the applet registered and the syslog message present. Also check that the SNMP trap is sent (e.g., via debug snmp packets or trap receiver logs).
Prevention
1. Always test EEM applets in a lab environment before deploying to production. 2. Use the exact syslog message format from 'show logging' to define the pattern. 3. Enable EEM debugging during initial testing to confirm trigger matching.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting multiple-choice question where you must identify why an EEM applet is not triggering. The exam tests understanding of EEM event triggers, syslog message formats, and the 'event syslog pattern' command. Key fact: The pattern must match a substring of the syslog message exactly.
Exam Tips
Remember that EEM applet patterns are case-sensitive and must match a substring of the syslog message.
Common mistake: Using the syslog mnemonic (e.g., UPDOWN) instead of the full message text; both can work but ensure the pattern appears in the message.
Know the 'debug event manager action cli' command to verify applet execution.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions