Cisco IOS EEM: Send Email on VPN Connection

I set up a Cisco router to send an email whenever a VPN user connected.  I did this for accounting purposes before I moved to RADIUS.  I’ll put this up here because someone else may be interested in this for their own use.

Step 1:  Environment Variable Setup

I like to configure variables to use throughout my EEM applets so I don’t get crazy with having to remember everything.  These setup a few such as a mail server, from email, to email.

router(config)#event manager environment _email_server 192.168.1.10
router(config)#event manager environment _email_from alerts@domain.local
router(config)#event manager environment _email_to admin@domain.local

Step 2: Create Event Manager Applet

Creating the applet is quite simple.

router(config)#event manager applet audit-vpn-login-ok

This creates the applet and puts you into its config mode to allow you to configure additional information.

Step 3: Identify what to look for

I simply look for a syslog pattern that corresponds to a Virtual-Access adapter being created (which indicates in my setup that a VPN has been established successfully).

router(config-applet)#event syslog pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access.*up"

After I tell it what to look for, I give it some actions.

Step 4: Configure Actions

For information purposes, I run a “show crypto ipsec sa | include local crypto” which stores the output of that command to a $_cli_results variable. This is helpful for telling me which IP address created the VPN. I could further this by looking for a username segment, but in this simple example, I’m sticking to just what IP established the VPN.

router(config-applet)#action 1.0 cli command "enable"
router(config-applet)#action 1.5 cli command "sh crypto ipsec sa | i local crypto"

Now I send the Email using the variables defined above and also include the $_cli_result (output of the command above stored as a variable) in the body.

router(config-applet)#action 2.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN User Connected" body "Connection:n$_cli_result"

Finally, I send a syslog message notifying a VPN connection established as well.

router(config-applet)#action 2.5 syslog priority notifications msg "VPN UP - Mail Sent"

Full Code

router(config)#event manager environment _email_server 192.168.1.10
router(config)#event manager environment _email_from alerts@domain.local
router(config)#event manager environment _email_to admin@domain.local
router(config)#event manager applet audit-vpn-login-ok
router(config-applet)#event syslog pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access.*up"
router(config-applet)#action 1.0 cli command "enable"
router(config-applet)#action 1.5 cli command "sh crypto ipsec sa | i local crypto"
router(config-applet)#action 2.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN User Connected" body "Connection:n$_cli_result"
router(config-applet)#action 2.5 syslog priority notifications msg "VPN UP - Mail Sent"

Published by

Rich

Just another IT guy.

Leave a Reply

Your email address will not be published. Required fields are marked *