The Event Monitor on an Arista switch is a slick little tool that, according to the documentation, “writes system event records to local files for access by sqlite database commands.” While a technically accurate description, allow me to expand on that a bit.
Event monitor is a process that records certain common events on the switch. As of EOS version 4.9.3.2, the events recorded include changes to the MAC address table (what MAC is mapped to what port), changes to the IP routing table, and changes to the ARP table (MAC address to IP address mapping).
Generally, EOS releases are named in the A.B.C format. When I wrote this chapter, the latest revision was 4.9.3.2, which included an urgent patch serious enough to warrant a minor release. The revision was quickly replaced by 4.9.4, but the newer release did not effect any of the chapters where I used 4.9.3.2.
OK, I’ll admit that still sounds boring, but let’s dig into this tool and see what it does, and how it might be useful.
The home base for using Event Monitor from EOS is the show event-monitor
command. As of EOS v.4.9.3.2,
there are only four options:
Arista#sho event-monitor ?
arp Monitor ARP table events
mac Monitor MAC table events
route Monitor routing events
sqlite enter a sqlite statment
There are three tables that we can view, and one very cool option
named sqlite
. The sqlite
option lets us send sqlite commands from
EOS to the sqlite database, which, as we’ll see, is pretty darn
useful.
Sqlite is a software library that, according to the sqlite website, “implements a self-contained, serverless, zero-configuration, transactional SQL database engine.” In other words, it’s a very simple, scaled down version of SQL that also happens to be in the public domain. For more information on sqlite, see the project web page. Though you may have not heard of sqlite before, if you’ve ever used an Apple Mac running OS X, an iPhone, or an iPad, then you’ve used a product that incorporates sqlite. If you don’t like Apple products, then look no further than the Firefox browser, the Thunderbird email client, the Google Chrome browser, or the Android phone operating system for other examples of the widespread use of sqlite.
Actually, to be painfully accurate, there is only one database, and each of the type of events being recorded is in a table within that database. Let’s take a look at each one of these tables.
Normally, ARP changes are not logged on a switch. Even if they were,
scrolling through pages of log entries is not my idea of fun, so the
idea of storing these events in a database is a bit appealing to me.
It’s been a long time since I was a database guy, so let’s see how rusty
I am. The way to retrieve the ARP events from the database is with the show event-monitor arp
command.
Many of the code excerpts in this chapter are wrapped in unnatural looking ways to fit within the confines of the printed page. Since much of the output from these commands is actually Unix output piped through the EOS CLI, the format and width may look the way you might expect from a traditional switch operating system.
Arista#sho event-monitor arp
2012-05-23 02:34:12|192.168.1.200|Management1|00:02:55:b7:da:9d|0|added|3
2012-05-23 02:34:12|192.168.1.200|Management1|||removed|4
2012-05-23 06:38:49|192.168.1.1|Management1|00:14:6a:a2:d4:38|0|added|26
2012-05-23 18:11:27|192.168.1.200|Management1|00:02:55:b7:da:9d|0|added|27
My main problem with this tool is that the output is, shall we say, ugly. Well, it’s ugly from my “all user interfaces should be elegant and beautiful” point of view. From my “it’s SQL, and that’s what SQL output looks like” point of view, it’s beautiful. I know, I’m a complicated person.
Don’t get me wrong, this is very useful information, but I have no idea what some of the values are. For example, I see some fields with zeros in them, and some with no values, and I have no idea what that last field in every line represents.
To help figure out what this stuff is, I’ll take advantage
of a nifty sqlite command that shows me the command used to create the
table. This command is called .schema
, and can be accessed by using the
sqlite
keyword. I’ll cover the usage
of the sqlite
keyword a bit later in
this chapter, but for now, bear with me and know that I’m sending the
sqlite command .schema arp
from EOS
with the following command:
Arista#sho event-monitor sqlite .schema arp
CREATE TABLE arp( time text, prefix text, intf text, ethAddr text,
static integer, delta text,counter integer UNIQUE );
This output tells me that there was a table created named arp that contains the following fields, listed in order. I’ve also added what they mean for any nonprogrammer types out there:
The time in which this log entry was added.
The IP address related to the ARP entry.
What interface the ARP event occurred on.
The MAC address tied to the IP address (prefix).
Value is 0 if ARP entry was dynamically learned, and 1 if statically assigned.
Typical entries are added and removed.
Every time an entry is made, it is assigned a counter value as a unique identifier for this record.
Let’s see this table in action. First, here is the list of existing ARP entries:
Arista(config)#sho arp
Address Age (min) Hardware Addr Interface
192.168.1.1 0 0014.6aa2.d438 Management1
192.168.1.200 0 0002.55b7.da9d Management1
Now I’ll add a static ARP entry to my switch by mapping the IP address 192.168.1.2 to the MAC address learned for 192.168.1.1:
Arista(config)#arp 192.168.1.2 0014.6aa2.d438 arpa
Let’s see what the Event Monitor database shows now that I’ve added the static ARP:
Arista(config)#sho event-monitor arp
2012-05-23 02:34:12|192.168.1.200|Management1|00:02:55:b7:da:9d|0|
added|3
2012-05-23 02:34:12|192.168.1.200|Management1|||removed|4
2012-05-23 06:38:49|192.168.1.1|Management1|00:14:6a:a2:d4:38|0|
added|26
2012-05-23 18:11:27|192.168.1.200|Management1|00:02:55:b7:da:9d|0|
added|27
2012-05-25 16:05:37|192.168.1.2|Management1|00:14:6a:a2:d4:38|1|
added|108
% Writing 1 Arp, 0 Route, 1 Mac events to the database
Take a look at the line in bold, and let’s apply what we know. At 4:05 p.m. on May 25th, 2012, a static ARP was added that mapped the IP address 192.168.1.2 to the MAC address 00:14:6a:a2:d4:38. The ARP entry became active on interface Management1.
Now I’ll go in and delete the static ARP entry:
Arista(config)#no arp 192.168.1.2 0014.6aa2.d438 arpa
And here’s the output from the show
event-monitor arp
command after the change:
Arista(config)#sho event-monitor arp
2012-05-23 02:34:12|192.168.1.200|Management1|00:02:55:b7:da:9d|0|added|3
2012-05-23 02:34:12|192.168.1.200|Management1|||removed|4
2012-05-23 06:38:49|192.168.1.1|Management1|00:14:6a:a2:d4:38|0|added|26
2012-05-23 18:11:27|192.168.1.200|Management1|00:02:55:b7:da:9d|0|added|27
2012-05-25 16:05:37|192.168.1.2|Management1|00:14:6a:a2:d4:38|1|added|108
2012-05-25 16:06:56|192.168.1.2|Management1|||removed|109
% Writing 1 Arp, 0 Route, 0 Mac events to the database
Reading the line in bold, we can see that at 4:06 p.m. on May 25th, 2012, the ARP entry for the IP address 192.168.1.2 was removed. The ARP entry was previously active on interface Management1.
Remember that ARP entries are only made on the switch when the switch communicates directly using IP, or if the ARP table is manually manipulated. If you have no IP addresses active on your switch, this table will be empty. For example, if you manage your switches solely though console servers, and don’t even use the Management interface, you may not need to have IP addresses active on your switch at all. In this case, there would be no ARP activity to record.
MAC changes are logged any time a MAC address is learned,
added, or deleted. This can happen a lot on a busy switch, but it might
not happen much at all on a smaller, stable network. This can be a
pretty useful tool, and I’ll show you how, so let’s start by taking a
look at the table the same way we did for the ARP table. First,
let’s look at the schema with the .schema mac
sqlite command:
Arista#sho event-monitor sqlite .schema mac
CREATE TABLE mac( time text, fid integer, ethAddr text, intf text,
type text, delta text, counter integer UNIQUE);
% Writing 0 Arp, 0 Route, 2 Mac events to the database
Here’s the breakdown of the fields:
The time in which this log entry was added.
FID stands for Filter ID. Switches keep an internal database of VLANs, and Arista switches assign internal VLANs to certain ports. This number will likely be unimportant to you, since the interface on which the MAC address was learned is also present.
The MAC address related to this event.
The interface on which this MAC event occurred.
How did the entry change? A typical value would be
learnedDynamicMac. When a MAC address is
removed from the table, this field is null. If you statically add
a MAC address with the mac address-table
static
command, this field will read
configuredStaticMac.
How did the entry change? Typical entries are added and removed.
Every time an entry is made, it is assigned a counter value as a unique identifier for this record.
So let’s look at an example of how I like to use this feature. Generic Bob comes up to you at 4:30 p.m. on a Friday and says, “Hey, the network sucks.”
“What is it this time, Bob?” you ask, trying really hard not to roll your eyes since you read that chapter in Network Warrior about how not to be that guy.
“My system doesn’t work, and it used to. Nothing changed, and I don’t feel like thinking, so it has to be the network.”
After a heavy sigh, you stop the important work you were doing and focus on Generic Bob’s dilemma. “Where are you connected, Bob?”
“How should I know? You’re the network guru, and it’s your crappy network, so you figure it out.”
Repressing the thoughts that are better left to mystery writers and psychopaths, you ask, “Well, do you know your IP address?”
“No, I think it’s dynamic or something. Will this take long?”
“Look Bob, I need either the IP address or the MAC address to find your system. Get me either of those, or even better, both, and I’ll see what I can find, OK?”
Generic Bob storms off to do his generic thing while you pull up your résumé. Just as you start to include all your Arista switch experience, Bob comes back and thrusts a piece of paper at your face. “Here’s your Mick address.”
You smile the false, hopeless smile of the damned, gently take the paper, and log in to your Arista switch. Generic Bob’s coffee-stained paper has 3c:07:54:43:88:d4 scribbled on it in what appears to be red crayon, or maybe lipstick.
With event-monitor
, you have a record of
every MAC event for quite some time. Using the match-mac
keyword, you pull up the event-monitor mac
table including only events
regarding the MAC address you care about:
Arista#sho event-monitor mac match-mac 3c:07:54:43:88:d4
2012-11-03 09:18:08|1006|3c:07:54:43:88:d4|Ethernet24|
learnedDynamicMac|added|549
2012-05-26 16:19:51|1|3c:07:54:43:88:d4|Ethernet6|learnedDynamicMac|
added|553
Looking at this data, you can see that Generic Bob’s MAC address was first learned on January 11th, 2012, and this switch saw it on interface e24. Since you know that e24 is an uplink to another switch, you know that Bob’s system was originally on another switch.
But the next line shows that the MAC address was learned today (hey, it was today when I wrote it), at 4:19 p.m. on the switch’s local interface, e6. That seems odd, so you look at the running-config for e6 on this switch:
Arista#sho run int e6
interface Ethernet6
description [ Unused ]
switchport access vlan 999
Since you’ve configured the switch with a dead VLAN (999) that you put on all unused ports, you’re sure that Generic Bob glommed a free interface on a different switch than the one to which he was assigned. With a couple of short commands, you’ve shown that Generic Bob was lying because someone had clearly moved his system from one switch to another, and that’s why it stopped working. You can’t blame the guy for thinking the new Arista switches would give him better performance, but plugging into network ports without prior authorization should not be tolerated.
I’ll leave it to your imagination as to how you might deal with Generic Bob now that you have the tools to prove him wrong. Just try not to be that guy…much. I’d probably just smile and tell him to put his system back into the network port where it belonged, and then make sure his access to the data center was revoked, but not until I was done adding Event Monitor to my resume.
This story is a complete fabrication. I’ve never met anyone named Bob who wrote a Mick address in red crayon. I did know someone who wrote her address in lipstick once, but that’s a story for another book. OK, that’s actually a fabrication too.
If you’ve got your switches configured for IP routing,
the show event-monitor
route
command can be a great tool to see historical
information regarding route changes. As with the others, let’s take a
look at the schema, and then work up an example to see it in
action:
Arista#sho event-monitor sqlite .schema route
CREATE TABLE route( time text, prefix text, protocol text, metric integer,
preference integer, delta text,counter integer UNIQUE );
Here’s the breakdown of the fields from the
route
table:
The time in which this log entry was added.
The IP prefix, including the Classless Internet Domain Routing (CIDR) mask related to the route entry.
I would imagine that this should read the protocol from which the prefix was learned or removed, but I’ve only ever seen this field read invalid when a route is added, or null when a route is removed.
Again, I would assume this field should contain the metric for the route, but I’ve never been able to make it say anything other than 0 when adding a route, and null when removing a route.
This field should include the administrative distance for the route, but in my testing, this field reports a 1 regardless of route type learned.
How did the entry change? Typical entries are added and removed.
Every time an entry is made, it is assigned a counter value as a unique identifier for this record.
I submitted my observation regarding the odd behaviors in this table to Arista TAC and received notification that this is a bug (ID #30146), which is scheduled to be resolved in the next major release of EOS. As of August 2012, Arista has not decided on whether that version will be called v4.11 or v5.0.
Let’s start with a simple example. Here, I’ll add a static route to the switch:
Arista(config)#ip route 20.20.20.0/24 192.168.1.1
Using the match-ip
ip-prefix
option, here’s what shows up in the
Event Monitor:
Arista(config)#sho event-monitor route match-ip 20.20.20.0/24
2012-05-27 00:54:40|20.20.20.0/24|invalid|0|1|added|1310
Now I’ll delete that route:
Arista(config)#no ip route 20.20.20.0/24 192.168.1.1
And an appropriate remove message shows up in the Event Monitor:
Arista(config)#sho event-monitor route match-ip 20.20.20.0/24
2012-05-27 00:54:40|20.20.20.0/24|invalid|0|1|added|1310
2012-05-27 00:56:29|20.20.20.0/24||||removed|1312
When the switch learns routes through other means, the results are pretty much the same, but since I went through the trouble to prove that to myself, I figure it’s only fair to share.
First, I’ll show what the routing table looks like:
Arista#sho ip route | begin Gateway
Gateway of last resort:
S 0.0.0.0/0 [1/0] via 192.168.1.1
C 30.30.30.0/24 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Vlan901
Next, I’ll add a simple OSPF configuration:
Arista(config)#router ospf 100
Arista(config-router-ospf)#network 192.168.1.0/24 area 0
Arista(config-router-ospf)#redistribute connected
Make sure we have a working neighbor (I’m not showing the neighbor’s configuration because it’s not an Arista switch, and really, who wants to see that?):
Arista(config-router-ospf)#sho ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
70.91.46.85 1 FULL/DR 00:00:34 192.168.1.1 Vlan901
So now that OSPF is up and working, let’s see what routes we’ve learned from our neighbor:
Arista#sho ip route | begin Gateway
Gateway of last resort:
S 0.0.0.0/0 [1/0] via 192.168.1.1
C 30.30.30.0/24 is directly connected, Loopback0
O E2 192.168.0.0/24 [110/10] via 192.168.1.1
C 192.168.1.0/24 is directly connected, Vlan901
O E2 192.168.2.0/24 [110/10] via 192.168.1.1
Now that we’ve got two OSPF routes learned, each of which has a
metric of 10, let’s take a look at Event Monitor. Before I do that, I’m
going to clear out the buffer using the event-monitor clear
command, because there’s too much output to wade through,
and I’m tired of filtering the output:
Arista(config)#event-monitor clear
Clearing buffer and forever logs
Since I cleared the buffer with the event-monitor clear
command, the counters at
the end of the lines have restarted. Notice also that the OSPF routes
shown previously show a metric of 10, but the route entries in the Event
Monitor show protocol values of invalid, and metric
values of 0:
Arista(config-router-ospf)#sho event-monitor route
2012-05-27 01:35:07|192.168.0.0/24|invalid|0|1|added|7
2012-05-27 01:35:07|192.168.2.0/24|invalid|0|1|added|8
% Writing 0 Arp, 4 Route, 4 Mac events to the database
Now let’s see what happens when I remove OSPF from the switch. First, I’ll remove the protocol from active duty:
Arista(config)#no router ospf 100
Then take a quick look to make sure all my OSPF routes are gone:
Arista(config)#sho ip route | beg Gateway
Gateway of last resort:
S 0.0.0.0/0 [1/0] via 192.168.1.1
S 20.20.20.0/24 [155/0] via 192.168.1.1
C 30.30.30.0/24 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Vlan901
And finally, a look into the Event Monitor to see how it responded:
Arista(config)#sho event-monitor route
2012-05-27 01:35:07|192.168.0.0/24|invalid|0|1|added|7
2012-05-27 01:35:07|192.168.2.0/24|invalid|0|1|added|8
2012-05-27 01:39:02|192.168.0.0/24||||removed|11
2012-05-27 01:39:02|192.168.2.0/24||||removed|12
% Writing 0 Arp, 2 Route, 2 Mac events to the database
As you can see, it reacts pretty much the same way as when I added and removed static routes. Convinced that I could get the protocol field to show something other than invalid, I fired up a similar test using BGP. Again, I’m only showing the Arista side of things because this isn’t a lesson on routing, but rather a view into the workings of Event Monitor.
Again, this behavior is a result of bug ID #30146, which is scheduled to be resolved in EOS version 5.0.0. Though I would love to have waited for 5.0.0 to come out before finishing this book, I ran out of time, so I had no choice but to report how it works at the time of writing (mid-2012). Besides, updating this chapter goes right into my “reasons O’Reilly should approve the 2nd edition” file for later use.
Here’s my quick and dirty BGP config, just to show that the protocol, metric, and preferences never change:
Arista(config)#router bgp 100
Arista(config-router-bgp)#neighbor 192.168.1.1 remote-as 100
And here’s the newly learned BGP route sitting snug in the routing table:
Arista(config-router-bgp)#sho ip route | begin Gateway
Gateway of last resort:
S 0.0.0.0/0 [1/0] via 192.168.1.1
S 20.20.20.0/24 [155/0] via 192.168.1.1
C 30.30.30.0/24 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Vlan901
B I 192.168.2.0/24 [200/0] via 192.168.1.1
And here’s the new route as seen in
event-monitor
:
Arista#sho event-monitor route
2012-05-27 02:00:51|192.168.2.0/24|invalid|0|1|added|18
Now I’ll remove BGP from the switch:
Arista(config)#no router bgp 100
And show that the BGP route is gone:
Arista(config)#sho ip route | beg Gateway
Gateway of last resort:
S 0.0.0.0/0 [1/0] via 192.168.1.1
S 20.20.20.0/24 [155/0] via 192.168.1.1
C 30.30.30.0/24 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Vlan901
And here’s the final output from event-monitor
:
Arista(config)#sho event-monitor route
2012-05-27 02:00:51|192.168.2.0/24|invalid|0|1|added|18
2012-05-27 02:01:44|192.168.2.0/24||||removed|19
Event monitor uses sqlite, as I’ve already stated, but using the CLI commands really doesn’t allow the full use of sqlite if you’ve got SQL skills. Luckily, there are a few ways to get to the good stuff.
First, you can issue sqlite commands through the show event-monitor sqlite
sqlite-command
command as you’ve already seen.
Let’s get a list of all the databases, so we’ll need to list the
tables. The sqlite command, .tables
, does just that.
So, let’s add that to our command:
Arista#sho event-monitor sqlite .tables
arp mac route
That makes sense, since the only things we can use Event Monitor for (as of EOS 4.9.3.2) is ARP, MAC, and route changes. Being nosy, I decided that I wanted to know where the database was actually stored.
Here’s a great example of why I love Arista products. Instead of
bugging the guys at Arista for information about the default database
location, I dug in and tried to figure it out on my own. Because
everything is open and not some custom application, a little bit of online
research revealed tips and tricks for using sqlite. The sqlite command, .databases
, will show the location of the
database files in use. By using the sqlite
keyword and appending this command, I
easily found what I wanted:
Arista#sho event-monitor sqlite .databases
seq name file
--- --------------- ----------------------------------------------------------
0 main /tmp/eventMon.db
You can also get some helpful commands by issuing the
sho event-monitor sqlite .help
command in CLI.
You can do almost anything you’d like this way, though I’ve had
trouble trying to stack sqlite commands though the CLI with this method.
Thankfully, there’s a way around this. By issuing the event-monitor
interact
command from CLI, you’ll drop into sqlite’s own
command-line interface:
Arista#event-monitor interact
SQLite version 3.6.23.1
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite>
From here, you can do anything you could do as if you ran the
sqlite
command from the bash prompt.
I’d suggest spending a bit of time learning simple sqlite commands before
you play with this, but remember these two key points: every command must
be terminated with a semicolon, and use .quit
or Control-D
to exit. Here’s the command to list all the entries in the route
table:
sqlite>select * from route;
2012-05-27 02:00:51|192.168.2.0/24|invalid|0|1|added|18 2012-05-27 02:01:44|192.168.2.0/24||||removed|19 sqlite>^D
Arista#
Of course, if you feel the need to access the program from
bash, you may do so with the sqlite3
command (on EOS v4.9.3.2). First I’ll drop into bash:
Arista#bash
Arista Networks EOS shell
[GAD@Arista ~]$
And from there, I’ll issue the sqlite3
command:
[GAD@Arista ~]$ sqlite3
SQLite version 3.6.23.1
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
And now I can issue my commands:
sqlite> select * from route;
Error: no such table: route
Whoops! When I dropped to bash, I lost the friendly CLI frontend to sqlite. From bash, I need to specify the database to use when starting sqlite (unless I’m going to create a new one from scratch). Remember back a bit when I showed where the database was? Now’s the time to use that information:
[GAD@Arista ~]$ sqlite3 /tmp/eventMon.db
SQLite version 3.6.23.1
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
Now we can select from our tables just like we did before:
sqlite> select * from route;
2012-05-27 02:00:51|192.168.2.0/24|invalid|0|1|added|18
2012-05-27 02:01:44|192.168.2.0/24||||removed|19
And remember that Control-D or .quit
gets you out:
sqlite>.quit
[GAD@Arista ~]$
The database for Event Monitor is found in the
/tmp directory. This directory does not survive a
reboot, so all of the Event Monitor entries will be lost every time the
switch reboots. If you’d like to keep a (sort of) permanent log of these
events, then you’ll need to give Event Monitor a location to store its logs in the /mnt/flash
directory. This can be done with the event-monitor
backup path
file-path
command:
Arista(config)#event-monitor backup path em.log
Specifying a filename without a path will result in the file being placed in flash:
Arista(config)#dir
Directory of flash:/
-rwx 245827739 Apr 16 04:19 EOS-4.9.1.swi
-rwx 248665992 May 23 02:16 EOS-4.9.3.swi
-rwx 137 May 23 02:32 boot-config
drwx 4096 May 27 12:05 debug
-rwx 336964 May 27 12:08 em.log.0
drwx 4096 May 27 12:04 persist
drwx 4096 May 16 19:27 schedule
-rwx 1868 May 27 12:03 startup-config
-rwx 0 May 14 16:46 zerotouch-config
1862512640 bytes total (256790528 bytes free)
If you specify what you think is a full Unix path, such as /home/admin/em.log, you will not get the expected results, as this will translate to flash:/home/admin/em.log:
Arista(config)#event-monitor backup path /home/admin/em.log
Arista(config)#dir
Directory of flash:/ -rwx 245827739 Apr 16 04:19 EOS-4.9.1.swi -rwx 248665992 May 23 02:16 EOS-4.9.3.swi -rwx 137 May 23 02:32 boot-config drwx 4096 May 27 12:05 debug drwx 4096 May 27 12:08 home drwx 4096 May 27 12:04 persist drwx 4096 May 16 19:27 schedule -rwx 1868 May 27 12:03 startup-config -rwx 0 May 14 16:46 zerotouch-config
You can specify a Unix path. The command provides two options when asked:
Arista(config)#event-monitor backup path ?
file: forever log URL
flash: forever log URL
The idea of a forever log sounds oddly romantic, like rescuing a dog from the pound and bringing him to his forever home, but what this file versus flash choice is offering is the choice between a Unix path (file:) or a CLI path (flash:). By not specifying either, the parser will assume flash:. That’s why our previous command, using /home/admin created a directory in flash:. To actually put the file in /home/admin (which would be dumb, since /home will not survive a reboot either), use the following command, incorporating file: at the beginning of the path:
Arista(config)#event-monitor backup path file:/home/admin/em.log
That will put the database file where you want it:
Arista#bash ls /home/admin
em.log.0
The EOS device, file:, is a pseudodevice that
lets you access the Linux file system from within CLI. You can use it
anywhere you would use another device name, such as copy flash:GAD.txt file:/tmp
.
You may have noticed that my files all have a
.0 appended to them, although I did not specify that.
Event monitor will write 500 events to the file, after which it will
create a new file, appended with a .1. The logs are
circular, so when the last log (default .200) is
reached, the .0 file is deleted, and new data will be
written there. That’s why I wrote earlier that these files were
sort of permanent. To configure how many logfiles you would like to retain, use
the event-monitor backup max-size
number
command:
Arista(config)#event-monitor backup max-size ?
<1-200> maximum number of stored backup logs
I’ll specify 10 logfiles, for no other reason than I like the number 10:
Arista(config)#event-monitor backup max-size 10
To disable Event Monitor completely, use the no event-monitor all
configuration
command:
Arista(config)#no event-monitor all
To enable only one of the Event Monitor functions, use the
event-monitor
command, followed by the
function (mac
, arp
, or
route
) that you’d like to enable. You can also disable
single functions by negating these commands:
Arista(config)#event-monitor route
To enable them all again, use the all
keyword:
Arista(config)#event-monitor all
Finally, you can configure a max buffer size for Event Monitor. The Arista manuals show the buffer size in Kb (kilobits), which I kind of think is a mistake, but if it’s not, one kilobit = 128 bytes.
The buffer size can be configured from 6 to 50 units in size. If backup logs are configured, they are written to when the buffer becomes full:
Arista(config)#event-monitor buffer max-size ?
<6-50> maximum size of the primary event monitor log
For most environments, leaving the Event Monitor as is and enabled probably makes the most sense. I see no reason to disable it, and even though you might use it rarely, it can be an invaluable tool when you do need it.
18.220.43.134