Event Monitor

The event monitor writes system event records to local files for access by SQLite database commands.

Note: Beginning with release EOS-4.20.5F, event-monitor is not enabled by default. Use the event-monitor command to explicitly enable event-monitor.

Description

The event monitor receives notifications for important events or changes to the enabled event monitor tables. These changes are logged to a fixed-size circular buffer. The size of this buffer is configurable, but it does not grow dynamically. Buffer contents can be stored to permanent files to increase the event monitor effective capacity. The permanent file size and the number of permanent files is configurable. The buffer is stored at a fixed location on the switch.

Specific event monitor queries are available through CLI commands. For queries not available through specific commands, manual queries are supported through other CLI commands. When the user issues a query command, the relevant events from the circular buffer and permanent files are written to and accessed from a temporary SQLite database file. The database keeps a separate table for each logging type (such as MAC, ARP, route, and others). When the monitor receives notification of a new event, the database file is deleted, then recreated.

Configuring the Event Monitor

Enabling the Event Monitor

The event-monitor command enables the event monitor and specifies the types of events that are logged. The event monitor is an event logging service that records system events to a local database. The event monitor records these events:
  • all changes to all events.
  • ARP changes to the ARP table (IPv4 address to MAC address mappings).
  • Neighbor changes to the neighbor table (IPv6 address to MAC address mappings).
  • backup backed up log files.
  • buffer changes to the local buffer settings.
  • IGMP snooping changes to the IGMP snooping table.
  • LACP changes to the LACP table events.
  • MAC changes to the MAC address table (MAC address to port mappings).
  • mroute changes to the IP multicast routing table.
  • neighbor changes to the neighbor routing table.
  • route changes to the IPv4 routing table.
  • route6 changes to the IPv6 routing table.
  • stpunstable events that cause STP instability.

Beginning with Release EOS-4.20.5F, event-monitor is not enabled by default. Use the event-monitor command to explicitly enable event-monitor. The no event-monitor all disables the event monitor. The no event-monitor command, followed by a log type parameter, disables event recording for the specified type.

Example

  • This command disables the event monitor for all types of events.
    switch(config)# no event-monitor all

  • This command enables the event monitor for routing table changes.
    switch(config)# event-monitor route

The event-monitor clear command removes the contents of the event monitor buffer. If event monitor backup is enabled, this command removes the contents from all event monitor backup files.

Example

This command clears the contents of the event monitor buffer.
switch# event-monitor clear
switch(config)#

Configuring the Buffer

The event-monitor buffer max-size command specifies the size of the event monitor buffer. The event monitor buffer is a fixed-size circular data structure that receives event records from the event monitor. When event monitor backup is enabled, the buffer is copied to a backup file before each rollover. Buffer size ranges from 6 Kb to 50 Kb. The default size is 32 Kb.

Example

This command configures a buffer size of 48 Kb.
switch(config)# event-monitor buffer max-size 48
switch(config)#

Configuring Permanent Files

The event-monitor backup path command enables storage of the event monitor buffer to permanent switch files and specifies the path/name of these files. The command references file location either from the flash drive root directory where the CLI operates (/mnt/flash) or from the switch root directory (/).

The event monitor buffer is circular after the buffer is filled, new data replaces older data at the beginning of the buffer. The buffer is copied into a new backup file after each buffer writing cycle before the switch starts re-writing the buffer.

Example

These commands configure the switch to store the event monitor buffer in sw-event.log, then display the new file in the flash directory.
switch(config)# event-monitor backup path eventmon_backup_dir/event.log
switch(config)#
bash-4.3# ls /mnt/flash/eventmon_backup_dir/

arpevent.log.1  lacpevent.log.1  neighborevent.log.1  routeevent.log.1
igmpsnoopingevent.log.1  macevent.log.1   route6event.log.1    
stpunstableevent.log.1

The event-monitor backup max-size command specifies the quantity of event monitor backup files the switch maintains. The switch appends an extension number to the file name when it creates a new file. After every 500 events, the switch deletes the oldest backup file if the file limit is exceeded.

Example

These commands configure the switch to back up the event buffer to a series of files named sw-event.log. The switch can store a maximum of four files.
switch(config)# event-monitor backup path sw-event.log
switch(config)# event-monitor backup max-size 4
switch(config)#

The first five files that the switch creates to store event monitor buffer contents are:

sw-event.log.0

sw-event.log.1

sw-event.log.2

sw-event.log.3

sw-event.log.4

The switch deletes sw-event.log.0 the first time it verifies the number of existing backup files after the creation of sw-event.log.4.

Querying the Event Monitor

These CLI commands perform SQL-style queries on the event monitor database:

Example

This command displays all events triggered by MAC address table events.
switch# show event-monitor mac
% Writing 0 Arp, 0 Route, 1 Mac events to the database
2012-01-19 13:57:55|1|0808.0808.0808|Ethernet1|configuredStaticMac|added|0

For other database queries, the show event-monitor sqlite command performs an SQL-style query on the database, using the statement specified in the command.

Example

This command displays all entries from the route table.
switch# show event-monitor sqlite select * from route;
2019-09-30 14:01:21.659428|16.16.16.255/32|default|receiveBcast|0|0|updated|20
2019-09-30 14:01:21.659464|192.168.201.12/30|default|connected|1|0|updated|21
2019-09-30 14:01:21.659497|192.168.1.255/32|default|receiveBcast|0|0|updated|22
2019-09-30 14:01:21.659503|192.168.201.8/32|default|receiveBcast|0|0|updated|23
2019-09-30 14:01:21.659512|16.16.16.0/32|default|receiveBcast|0|0|updated|24
2019-09-30 
14:01:21.659517|192.168.201.12/32|default|receiveBcast|0|0|updated|25
2019-09-30 
14:01:21.659524|192.168.201.15/32|default|receiveBcast|0|0|updated|26
2019-09-30 14:01:21.659541|192.168.201.8/30|default|connected|1|0|updated|27
2019-09-30 14:01:21.659564|16.16.16.0/24|default|connected|1|0|updated|28
2019-09-30 14:01:21.659578|192.168.201.9/32|default|receive|0|0|updated|29

Accessing Event Monitor Database Records

The event-monitor sync command combines the event monitor buffer and all backup logs and synchronizes them into a single SQLite file. The data can be accessed through SQLite or by using the show event-monitor commands described above.

Example

  • This command synchronizes the buffer and backup logs into a single SQLite file.
    switch(config)# event-monitor sync
    switch(config)#