Whilst studying EEM I discovered the command show event manager policy registered it basically shows you the policies you have registered on your device.
When you create a policy it just needs and event and an action and it will self register.
Lets create a simple script that will look for a command being typed onto the CLI and then action on it.
This policy will monitor for anyone typing router ospf, and then if they do, will not action the command and then put up a syslog message saying No OPSF here!
R1(config)#event manager applet OSPF
R1(config-applet)#event cli pattern "router os*" sync no skip yes
R1(config-applet)#action 1.0 syslog msg "OSPF is not allowed"
R1(config-applet)#exit
R1(config)#exit
R1#show event manager policy registered
*Mar 1 00:02:35.903: %SYS-5-CONFIG_I: Configured from console by console
R1#show event manager policy registered
No. Class Type Event Type Trap Time Registered Name
1 applet user cli Off Fri Mar 1 00:02:34 2002 OSPF
pattern {router os*} sync no skip yes
maxrun 20.000
action 1.0 syslog msg "OSPF is not allowed"
Let’s break this down line by line
1. First you have to define an applet – event manager applet OSPF
2. Next you define an event, in this case we are matching a cli pattern of router os* so basiclaly anything starting router os
The next two command are very important from the cli options
no Policy and CLI will run asynchronously
yes Run policy and the result determines whether to run CLI
Basically if you put no the command will not run, if you put yes the command will run
3. When the cli pattern is matched a syslog message will be generated
To check what EEM scripts you have registered on your device you enter the command
show event manager policy registered
the output can be seen above
