ASA Embedded Event Manager (EEM)

Share on:

As of ASA version 9.2(1), Cisco has introduced the EEM to the ASA feature set. For any of you familiar with IOS, this is the same functionality now available on the ASA.

Having the EEM functionality on the ASA is fantastic for automating pretty much anything, one such thing I needed to automate was to execute a show run when a user logs into the ASA and another show run when the user logs out. This is especially great on those devices that are under shared control and gives you as the engineer a log of a before and after, which can be great to compare exactly what was changed by a given engineer.

So for my immediate requirement I needed a way to identify when a user has logged in and when a user has logged out, thankfully the ASA has a syslog message ID for pretty much anything. After consulting the Cisco Syslog message documentation I found that the syslog messages that I needed were:

  • 605005 – Message is generated when a user logs in
  • 611103 – Message is generated when a user logs out

Now we have our two parameters let’s write out EEM Applet on the ASA CLI`.

1event manager applet configBackup
2event syslog id 605005
3event syslog id 611103
4action 1 cli command "show run"
5output file rotate 10

Looking at the code block above let’s break it down. The very first line declares the name of the applet, it is important to have a clear and meaningful name as it will be used in the naming of the log files. Lines 2 and 3 are our triggers, so execute this applet if someone logs in and when they log out. The fourth line is the command we want to execute when the triggers are matched, so in our case we want a show run but we could do anything here. The last line is where the magic happens, this is the line that takes the command output and puts into a file on the flash, we can also specify how many copies we want to keep and once that limit is reached, the ASA will overwrite the oldest file.

So in my lab, I have simulated logging in and out of my ASA, and the following two files are created:

1209    -rwx  9575         10:17:03 Mar 24 2015  eem-configBackup-0.log
2208    -rwx  9522         10:16:59 Mar 24 2015  eem-configBackup-1.log

So as you can see the log file is placed onto the flash with the prefix eem-NAME_OF_APPLET. To view these files you can execute more disk0:/eem-configBackup-0.log

When viewing the log file, the first two lines of the file actually specify why the file was created and the username who logged in or out. So you also have a sure way of knowing who it was.

Although most people may use external tools for config backups and changes, this is a novel way of achieving something very similar to other tools quickly and easily on the ASA. I hope this post was informative and shows you a small piece of the power of having the EEM available on the ASA is.