EEM Script in Cisco Routers

What is EEM?

EEM (Embedded Event manager) is a software component of Cisco IOS, XR, and NX-OS. EEM gives you high abilities to admin your Cisco device by tracking and monitoring events that take place on your Cisco device and then apply action you already decided early, EEM by giving you this ability, it allows you to automate many tasks.

EEM Types:

There are two EEM independent pieces (types): Applets and Scripting

-> Applets are a collection of CLI commands
-> Scripts are actions coded up in TCL (interpreter language)

Here we will find some examples for applets and let’s put in our minds that we can have Only one event per applet with single or  Multiple actions run in sequence.

EEM Event detectors:

EEM uses Event detectors to understand that event occurred, some of these detectors are:

SNMP:-Monitoring SNMP objects.

Syslog:-Responds to various syslog messages, allowing for matching on regular expressions.

Counter: Monitoring and responding to the interface counter when crossing threshold settings.

CLI events: Screening CLI input for a regular expression match.

Note: This event detector is used to test EEM script/applet using the “event manager run” command.

Timers:  (Countdown, watchdog and CRON)

IP SLA and Net flow events.

EEM Actions:

EEM can take many actions once the event happens, actions could be:

  • Sending an email messages
  • Executing or disabling a cisco command.
  • Generating SNMP traps
  • Reloading the router
  • Generating prioritized syslog messages
  • Switching to a secondary processor in a redundant platform
  • Requesting system information when an event occurs (like show tech-support, show process cpu history).

Common regular expressions:

During creating your EEM Applet you can use some regular expressions, the following are commonly used ones:

^ = Start of string
$ = End of string
. = Any single character
* = Zero or more instances
+ = One or more instance
? = Zero or one instance

How to write an EEM applet?

You write three pieces of information in your applet.

first, you will give (Applet Name) then you will decide what (Event Detector) will be used to detect specific events then finally what (Actions) you would like to automatically run once this event occurs.

What if I do not want actions run automatically?

You can write EEM applet so EEM applet so it will be manually triggered, this can be done using event none, as you will see later in examples

Example one:

Let’s create manually triggered applet, once we run it will turn router interface up and give it an IP address.

R1(config)#event manager applet set_ip
(these commands create EEM applet with name set_ip )

R1(config-applet)#event none sync yes

(event none mean this EEM applet is to be a manual trigger, sync yes mean run the commands synchronously which means run each command and wait to tell it to execute then run the nest one.)

Now we start typing our Actions which will be like this

1.0 is just number of actions and better to use gaps between numbers so maybe you return back to add another missing action, cli means we will use cli to type a command, this command will be typed on your behalf command “enable” is your command

R1(config-applet)#action 1 cli command “enable”
R1(config-applet)#action 2 cli command “configuration terminal”
R1(config-applet)#action 3 cli command “interface fa0/0”
R1(config-applet)#action 4 cli command “ip add”
R1(config-applet)#action 5 cli command “no shutdown”
R1(config-applet)#action 6 cli command “end”

Finally, once you want to run this EEM Applet, just type the following command :

R1#event manager run set_ip

You can run the R1#show event manager policy available, to see the EEMs in your router.

Example two:

Let’s create manually triggered EEM applet  which shows a syslog message once we run it

R1(config)#event manager applet cbtme
R1(config-applet)#event none
R1(config-applet)#action 1.0 syslog msg “cbtme welcome you”
R1#event manager run cbtme

*Mar  1 00:07:47.731: %HA_EM-6-LOG: cbtme: cbtme welcome you


Example three:

This EEM will save the configuration , show console message about going to reload the router and then reload the router

R1(config)#event manager applet reload
R1(config-applet)#event none sync yes
R1(config-applet)#action 1.0 cli command “enable”
R1(config-applet)#action 2.0 cli command “write memory”
R1(config-applet)#action 3.0 syslog msg “router about to reload”
R1(config-applet)#action 4.0 reload (note no “” since its available as command if you type action 4.0 ?)
R1#event manager run reload

Example four:

Let’s create automatically running EEM applet which once fas0/0 goes down will make router return it back and then send email to admin

R1(config-applet)#event syslog pattern “Interface FastEthernet0/0, changed state to administratively down”
R1(config-applet)#action 1.0 cli command “enable”
R1(config-applet)#action 1.5 cli command “config t”
R1(config-applet)#action 2.0 cli command “int fas 0/0”
R1(config-applet)#action 2.5 cli command “no sh”
R1(config-applet)#action 3.0 cli command “end”
R1(config-applet)#action 3.5 cli command “who”
R1(config-applet)#action 4.0 mail server “” to “” from ”” subject “test” body “current users $_cli_result”

Example five:

Let’s say we asked to prevent router users from ping IP address and also show msg saying this command is bypassed try again later

event manager applet noping
event cli pattern “ping” sync no skip yes
action 1.0 syslog msg “command is bypassed try again later”

Here EEM Instead of looking for a pattern in syslog, this time we’re waiting for a pattern entered onto the CLI. EEM will monitor your Router CLI prompt looking for pattern match this pattern is (ping then will skip it and show you msg you typed before as reason.


*Mar  1 00:17:04.739: %HA_EM-6-LOG: noping: command is bypassed try again later


Note: sync no used to stop running command synchronously and gave us time to use skip command which prevents ping

Example six:

This example is a little bit evil, we will disable Config t command

event manager applet noconfig
event cli pattern “configure terminal” sync no skip yes
action 2.0 cli command “enable”

Note: do not save this one it will prevent you from using config t

Example seven:

Let’s say we have a router with the following interfaces

int fas 0/0
int fas 0/1

Configure it so when fa0/0 goes down, fas0/1 must also go down and when it comes back, fa0/1 come back up.

R1(config)#track 1 interface FastEthernet 0/0 line-protocol

The above line is not related to EEM commands, it just a track command.

event manager applet f00-down
event track 1 state down
action 6.0 cli command “enable”
action 6.1 cli command “config t”
action 6.2 cli command “int fas 0/1”
action 6.3 cli command “sh”
action 6.4 cli command “end”


event manager applet f00-up
event track 1 state up
action 6.0 cli command “enable”
action 6.1 cli command “config t”
action 6.2 cli command “int fas 0/1”
action 6.3 cli command “no sh”
action 6.4 cli command “end”


Example eight:

Remember in Example four we made one of our actions is sending an email. We can set email id and server as variables:

router1(config)# event manager environment email_to
router1(config)# event manager environment email_from
router1(config)# event manager environment email_server

Then in action, we type:

router1(config-applet)# action 2 mail server “$email_server” to “$email_to” from “$email_from” subject “SLA 1 state changed to DOWN” body “Check to see if Web server is functional.”

Example nine:

Let’s say when loop0 interface goes down, force the router to bring it up and send syslog msg about that

event manager applet WatchLo0
event syslog pattern “Interface Loopback0.* down” period 1
action 2.0 cli command “enable”
action 2.1 cli command “config t”
action 2.2 cli command “interface lo0”
action 2.3 cli command “no shutdown”
action 3.0 syslog msg “Interface Loopback0 was brought up via EEM”

Example ten:

Disable reload command with msg shown to the user that this command has been disabled.

R2(config)#event manager applet DisableReload
R2(config-applet)# event cli pattern “reload” sync no skip yes occurs 1
R2(config-applet)# action 1.0 syslog msg “$_cli_msg has been disabled.”

*Mar  1 01:20:45.643: %HA_EM-6-LOG: DisableReload: reload has been disabled.

Example eleven:

Supposed you need to back up your router configuration at a specific time every day, you can do this automatically using EEM.

If you are good with Linux you understand Cron command.

event manager environment filename 2900-1-confg
event manager environment tftploc tftp://
event manager applet backupcfg
event timer cron name job1 cron-entry “34 2 * * 0-6″
action 1.0 cli command “enable”
action 2.0 cli command “conf t”
action 3.0 cli command “file prompt quiet”
action 4.0 cli command “end”
action 5.0 cli command “copy start $tftploc$filename”
action 6.0 cli command “conf t”
action 7.0 cli command “no file prompt quiet”

The file prompt quiet command is to suppress the questions asked by IOS.

Example twelve:

Suppose you want to capture “Show process cpu” or “Show tech-support” when your CPU crossed a predefined value.

event manager session cli username “privilege 15 aaa username” (This is only required in AAA environment.)
event manager applet watch_cpu
event snmp oid get-type exact entry-op gt entry-val 90 exit-op lt exit-val 40 poll-interval 5
action 1.01 syslog msg “——HIGH CPU DETECTED—-, CPU:$_snmp_oid_val %”
action 1.02 cli command “enable”
action 1.03 cli command “show clock | append disk0:high_cpu.txt”
action 1.04 cli command “show proc cpu sorted | append disk0:high_cpu.txt”
action 1.05 cli command “show logging | append disk0:cpu_stats.txt”
action 1.06 cli command “debug netdr cap rx”
action 1.07 cli command “show debugging | append disk0:high_cpu.txt”
action 1.08 cli command “show netdr cap | append disk0:high_cpu.txt”
action 1.09 cli command “undebug all”
action 1.10 cli command “show debugging | append disk0:high_cpu.txt”

Example thirteen:

Suppose you want to make a GRE interface passive in case of EIGRP Neighborship flap.

event manager applet Neighbor_Down
event syslog pattern “%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor \(Tunnel1\) is down:”
action 1.0 cli command “en”
action 1.1 cli command “conf t”
action 1.2 cli command “router eigrp 100”
action 1.3 cli command “passive-interface Tunnel1”

N.B- we are using a backslash before the brace as without this EEM will not hit as it will consider brace as an unsupported special character.

This is all about EEM but I wish you remember the following:

Event cli pattern: Defines the event criteria to initialize the EEM applet.

Sync: Specifies if the policy should be executed synchronously before the CLI commands execute

Skip: Indicates if the CLI commands should be executed

Occurs: Indicates the number of occurrences before the EEM applet trigger.

Architect/Consultant in IT/Telecom/Networking Support Industry with over 13+ years of Experience. Mainly working with Cisco Products other than Cisco worked with VMware NSX/Juniper/Riverbed/Meraki & Citrix Products, and worked with various clients like PSU Banks, Petroleum Corporations, different government sector clients, BPO Sector, Telecom NOC and ISP. Global Certifications: VMware vSphere Foundation 6 CCNA Routing & Switching CCNP Routing & Switching ITIL V3 Foundation RTSA-W RTSS-W RSA RTSA-NPM RTSS-NPM Aspiring Certifications: VCP-NV

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.