印刷

EOS 4.33.2F User Manual - Event Monitor 印刷

Event Monitor

The Event Monitor writes system event records to local files for access by SQLite database commands.

Note:The switch does not enableevent-monitor by default. Use the event-monitor command to explicitly enable event-monitor.

Description

The event monitor receives notifications for important events or changes to the enabled event monitor tables. These changes are logged to a fixed-size circular buffer. The size of this buffer is configurable, but it does not grow dynamically. Buffer contents can be stored to permanent files to increase the event monitor effective capacity. The permanent file size and the number of permanent files is configurable. The buffer is stored at a fixed location on the switch.

Specific event monitor queries are available through CLI commands. For queries not available through specific commands, manual queries are supported through other CLI commands. When the user issues a query command, the relevant events from the circular buffer and permanent files are written to and accessed from a temporary SQLite database file. The database keeps a separate table for each logging type (such as MAC, ARP, route, and others). When the monitor receives notification of a new event, the database file is deleted, then recreated.

Configuring the Event Monitor

Enabling the Event Monitor

The event-monitor command enables the Event Monitor and specifies the types of events to log by the switch. The Event Monitor provides an event logging service that records system events to a local database. The Event Monitor records these events:
  • All changes to all events.
  • ARP changes to the ARP table (IPv4 address to MAC address mappings).
  • Neighbor changes to the neighbor table (IPv6 address to MAC address mappings).
  • Backed up log files.
  • Buffer changes to the local buffer settings.
  • IGMP snooping changes to the IGMP snooping table.
  • LACP changes to the LACP table events.
  • MAC changes to the MAC address table (MAC address to port mappings).
  • mRoute changes to the IP multicast routing table.
  • Neighbor changes to the neighbor routing table.
  • Route changes to the IPv4 routing table.
  • Route changes to the IPv6 routing table.
  • STP unstable events that cause STP instability.

The switch does not enable event-monitor by default. Use the event-monitor command to explicitly enable the Event Monitor. The no event-monitor all disables the Event Monitor. The no event-monitor command, followed by a log type parameter, disables event recording for the specified type.

Example

  • This command disables the Event Monitor for all types of events. 
    switch(config)# no event-monitor all

  • This command enables the Event Monitor for routing table changes. 
    switch(config)# event-monitor route

The event-monitor clear command removes the contents of the Event Monitor buffer. If enabled, this command removes the contents from all Event Monitor backup files.

Example

This command clears the contents of the Event Monitor buffer.
switch# event-monitor clear
switch(config)#

Configuring the Buffer

The event-monitor buffer max-size command specifies the size of the Event Monitor buffer. The Event Monitor buffer has a fixed-size circular data structure that receives event records from the Event Monitor. When enabling Event Monitor backup, the buffer copies the events to a backup file before each rollover. Buffer size ranges from 6 Kb to 50 Kb with a default size of 32 Kb.

Example

This command configures a buffer size of 48 Kb.
switch(config)# event-monitor buffer max-size 48
switch(config)#

Configuring Permanent Files

The event-monitor backup path command enables storage of the Event Monitor buffer to permanent switch files and specifies the path and name of these files. The command references file location either from the flash drive root directory where the CLI operates (/mnt/flash) or from the switch root directory (/).

The Event Monitor buffer becomes circular after the buffer fills, new data replaces older data at the beginning of the buffer. The switch copies the buffer into a new backup file after each buffer writing cycle before the switch starts re-writing the buffer.

Example

These commands configure the switch to store the Event Monitor buffer in sw-event.log, then display the new file in the flash directory.
switch(config)# event-monitor backup path eventmon_backup_dir/event.log
switch(config)#
bash-4.3# ls /mnt/flash/eventmon_backup_dir/

arpevent.log.1  lacpevent.log.1  neighborevent.log.1  routeevent.log.1
igmpsnoopingevent.log.1  macevent.log.1   route6event.log.1    
stpunstableevent.log.1

The event-monitor backup max-size command specifies the quantity of Event Monitor backup files the switch maintains. The switch appends an extension number to the file name when it creates a new file. After every 500 events, the switch deletes the oldest backup file after exceeding the file limit.

Example

These commands configure the switch to back up the event buffer to a series of files named sw-event.log. The switch can store a maximum of four files.
switch(config)# event-monitor backup path sw-event.log
switch(config)# event-monitor backup max-size 4
switch(config)#

The switch creates these first five files to store Event Monitor buffer contents:

sw-event.log.0

sw-event.log.1

sw-event.log.2

sw-event.log.3

sw-event.log.4

The switch deletes sw-event.log.0 the first time it verifies the number of existing backup files after the creation of sw-event.log.4.

Querying the Event Monitor

These CLI commands perform SQL-style queries on the Event Monitor database:

Example

This command displays all events triggered by MAC address table events.
switch# show event-monitor mac
% Writing 0 Arp, 0 Route, 1 Mac events to the database
2012-01-19 13:57:55|1|0808.0808.0808|Ethernet1|configuredStaticMac|added|0

For other database queries, the show event-monitor sqlite command performs an SQL-style query on the database, using the statement specified in the command.

Example

This command displays all entries from the route table.
switch# show event-monitor sqlite select * from route;
2019-09-30 14:01:21.659428|16.16.16.255/32|default|receiveBcast|0|0|updated|20
2019-09-30 14:01:21.659464|192.168.201.12/30|default|connected|1|0|updated|21
2019-09-30 14:01:21.659497|192.168.1.255/32|default|receiveBcast|0|0|updated|22
2019-09-30 14:01:21.659503|192.168.201.8/32|default|receiveBcast|0|0|updated|23
2019-09-30 14:01:21.659512|16.16.16.0/32|default|receiveBcast|0|0|updated|24
2019-09-30 
14:01:21.659517|192.168.201.12/32|default|receiveBcast|0|0|updated|25
2019-09-30 
14:01:21.659524|192.168.201.15/32|default|receiveBcast|0|0|updated|26
2019-09-30 14:01:21.659541|192.168.201.8/30|default|connected|1|0|updated|27
2019-09-30 14:01:21.659564|16.16.16.0/24|default|connected|1|0|updated|28
2019-09-30 14:01:21.659578|192.168.201.9/32|default|receive|0|0|updated|29

Accessing Event Monitor Database Records

The event-monitor sync command combines the event monitor buffer with all backup logs and synchronizes them into a single SQLite file. The data can be accessed through SQLite or by using the show event-monitor commands.

Example

  • This command synchronizes the buffer and backup logs into a single SQLite file.
    switch(config)# event-monitor sync
switch(config)#

..