Event Monitor
The event monitor writes system event records to local files for access by SQLite database commands.
Description
The event monitor receives notifications for important events or changes to the enabled event monitor tables. These changes are logged to a fixed-size circular buffer. The size of this buffer is configurable, but it does not grow dynamically. Buffer contents can be stored to permanent files to increase the event monitor effective capacity. The permanent file size and the number of permanent files is configurable. The buffer is stored at a fixed location on the switch.
Specific event monitor queries are available through CLI commands. For queries not available through specific commands, manual queries are supported through other CLI commands. When the user issues a query command, the relevant events from the circular buffer and permanent files are written to and accessed from a temporary SQLite database file. The database keeps a separate table for each logging type (such as MAC, ARP, route, and others). When the monitor receives notification of a new event, the database file is deleted, then recreated.
Configuring the Event Monitor
Enabling the Event Monitor
- all changes to all events.
- ARP changes to the ARP table (IPv4 address to MAC address mappings).
- Neighbor changes to the neighbor table (IPv6 address to MAC address mappings).
- backup backed up log files.
- buffer changes to the local buffer settings.
- IGMP snooping changes to the IGMP snooping table.
- LACP changes to the LACP table events.
- MAC changes to the MAC address table (MAC address to port mappings).
- mroute changes to the IP multicast routing table.
- neighbor changes to the neighbor routing table.
- route changes to the IPv4 routing table.
- route6 changes to the IPv6 routing table.
- stpunstable events that cause STP instability.
Beginning with Release eos-4.20.5F, event-monitor is not enabled by default. Use the event-monitor command to explicitly enable event-monitor. The no event-monitor all disables the event monitor. The no event-monitor command, followed by a log type parameter, disables event recording for the specified type.
Example
- This command disables the event monitor for all types of events.
switch(config)# no event-monitor all
- This command enables the event monitor for routing table changes.
switch(config)# event-monitor route
The event-monitor clear command removes the contents of the event monitor buffer. If event monitor backup is enabled, this command removes the contents from all event monitor backup files.
Example
switch# event-monitor clear
switch(config)#
Configuring the Buffer
The event-monitor buffer max-size command specifies the size of the event monitor buffer. The event monitor buffer is a fixed-size circular data structure that receives event records from the event monitor. When event monitor backup is enabled, the buffer is copied to a backup file before each rollover. Buffer size ranges from 6 Kb to 50 Kb. The default size is 32 Kb.
Example
switch(config)# event-monitor buffer max-size 48
switch(config)#
Configuring Permanent Files
The event-monitor backup path command enables storage of the event monitor buffer to permanent switch files and specifies the path/name of these files. The command references file location either from the flash drive root directory where the CLI operates (/mnt/flash) or from the switch root directory (/).
The event monitor buffer is circular after the buffer is filled, new data replaces older data at the beginning of the buffer. The buffer is copied into a new backup file after each buffer writing cycle before the switch starts re-writing the buffer.
Example
switch(config)# event-monitor backup path eventmon_backup_dir/event.log
switch(config)#
bash-4.3# ls /mnt/flash/eventmon_backup_dir/
arpevent.log.1 lacpevent.log.1 neighborevent.log.1 routeevent.log.1
igmpsnoopingevent.log.1 macevent.log.1 route6event.log.1
stpunstableevent.log.1
The event-monitor backup max-size command specifies the quantity of event monitor backup files the switch maintains. The switch appends an extension number to the file name when it creates a new file. After every 500 events, the switch deletes the oldest backup file if the file limit is exceeded.
Example
switch(config)# event-monitor backup path sw-event.log
switch(config)# event-monitor backup max-size 4
switch(config)#
The first five files that the switch creates to store event monitor buffer contents are:
sw-event.log.0
sw-event.log.1
sw-event.log.2
sw-event.log.3
sw-event.log.4
The switch deletes sw-event.log.0 the first time it verifies the number of existing backup files after the creation of sw-event.log.4.
Querying the Event Monitor
- The show event-monitor arp command displays ARP table events.
- The show event-monitor mac command displays MAC address table events.
- The show event-monitor route command displays routing table events.
Example
switch# show event-monitor mac
% Writing 0 Arp, 0 Route, 1 Mac events to the database
2012-01-19 13:57:55|1|0808.0808.0808|Ethernet1|configuredStaticMac|added|0
For other database queries, the show event-monitor sqlite command performs an SQL-style query on the database, using the statement specified in the command.
Example
switch# show event-monitor sqlite select * from route;
2019-09-30 14:01:21.659428|16.16.16.255/32|default|receiveBcast|0|0|updated|20
2019-09-30 14:01:21.659464|192.168.201.12/30|default|connected|1|0|updated|21
2019-09-30 14:01:21.659497|192.168.1.255/32|default|receiveBcast|0|0|updated|22
2019-09-30 14:01:21.659503|192.168.201.8/32|default|receiveBcast|0|0|updated|23
2019-09-30 14:01:21.659512|16.16.16.0/32|default|receiveBcast|0|0|updated|24
2019-09-30
14:01:21.659517|192.168.201.12/32|default|receiveBcast|0|0|updated|25
2019-09-30
14:01:21.659524|192.168.201.15/32|default|receiveBcast|0|0|updated|26
2019-09-30 14:01:21.659541|192.168.201.8/30|default|connected|1|0|updated|27
2019-09-30 14:01:21.659564|16.16.16.0/24|default|connected|1|0|updated|28
2019-09-30 14:01:21.659578|192.168.201.9/32|default|receive|0|0|updated|29
Accessing Event Monitor Database Records
The event-monitor sync command combines the event monitor buffer and all backup logs and synchronizes them into a single SQLite file. The data can be accessed through SQLite or by using the show event-monitor commands described above.
Example
- This command synchronizes the buffer and backup
logs into a single SQLite
file.
switch(config)# event-monitor sync switch(config)#