Chapter 27. Event Monitor

The Event Monitor on an Arista switch is a slick little tool that, according to the documentation, “writes system event records to local files for access by sqlite database commands.” While a technically accurate description, allow me to expand on that a bit.

Event monitor is a process that records certain common events on the switch. As of EOS version 4.9.3.2, the events recorded include changes to the MAC address table (what MAC is mapped to what port), changes to the IP routing table, and changes to the ARP table (MAC address to IP address mapping).

Note

Generally, EOS releases are named in the A.B.C format. When I wrote this chapter, the latest revision was 4.9.3.2, which included an urgent patch serious enough to warrant a minor release. The revision was quickly replaced by 4.9.4, but the newer release did not effect any of the chapters where I used 4.9.3.2.

OK, I’ll admit that still sounds boring, but let’s dig into this tool and see what it does, and how it might be useful.

Using Event Monitor

The home base for using Event Monitor from EOS is the show event-monitor command. As of EOS v.4.9.3.2, there are only four options:

Arista#sho event-monitor ?
  arp     Monitor ARP table events
  mac     Monitor MAC table events
  route   Monitor routing events
  sqlite  enter a sqlite statment

There are three tables that we can view, and one very cool option named sqlite. The sqlite option lets us send sqlite commands from EOS to the sqlite database, which, as we’ll see, is pretty darn useful.

Note

Sqlite is a software library that, according to the sqlite website, “implements a self-contained, serverless, zero-configuration, transactional SQL database engine.” In other words, it’s a very simple, scaled down version of SQL that also happens to be in the public domain. For more information on sqlite, see the project web page. Though you may have not heard of sqlite before, if you’ve ever used an Apple Mac running OS X, an iPhone, or an iPad, then you’ve used a product that incorporates sqlite. If you don’t like Apple products, then look no further than the Firefox browser, the Thunderbird email client, the Google Chrome browser, or the Android phone operating system for other examples of the widespread use of sqlite.

Actually, to be painfully accurate, there is only one database, and each of the type of events being recorded is in a table within that database. Let’s take a look at each one of these tables.

ARP

Normally, ARP changes are not logged on a switch. Even if they were, scrolling through pages of log entries is not my idea of fun, so the idea of storing these events in a database is a bit appealing to me. It’s been a long time since I was a database guy, so let’s see how rusty I am. The way to retrieve the ARP events from the database is with the show event-monitor arp command.

Note

Many of the code excerpts in this chapter are wrapped in unnatural looking ways to fit within the confines of the printed page. Since much of the output from these commands is actually Unix output piped through the EOS CLI, the format and width may look the way you might expect from a traditional switch operating system.

Arista#sho event-monitor arp
2012-05-23 02:34:12|192.168.1.200|Management1|00:02:55:b7:da:9d|0|added|3
2012-05-23 02:34:12|192.168.1.200|Management1|||removed|4
2012-05-23 06:38:49|192.168.1.1|Management1|00:14:6a:a2:d4:38|0|added|26
2012-05-23 18:11:27|192.168.1.200|Management1|00:02:55:b7:da:9d|0|added|27

My main problem with this tool is that the output is, shall we say, ugly. Well, it’s ugly from my “all user interfaces should be elegant and beautiful” point of view. From my “it’s SQL, and that’s what SQL output looks like” point of view, it’s beautiful. I know, I’m a complicated person.

Don’t get me wrong, this is very useful information, but I have no idea what some of the values are. For example, I see some fields with zeros in them, and some with no values, and I have no idea what that last field in every line represents.

To help figure out what this stuff is, I’ll take advantage of a nifty sqlite command that shows me the command used to create the table. This command is called .schema, and can be accessed by using the sqlite keyword. I’ll cover the usage of the sqlite keyword a bit later in this chapter, but for now, bear with me and know that I’m sending the sqlite command .schema arp from EOS with the following command:

Arista#sho event-monitor sqlite .schema arp
CREATE TABLE arp( time text, prefix text, intf text, ethAddr text,
static integer, delta text,counter integer UNIQUE );

This output tells me that there was a table created named arp that contains the following fields, listed in order. I’ve also added what they mean for any nonprogrammer types out there:

Time (text string)

The time in which this log entry was added.

Prefix (text string)

The IP address related to the ARP entry.

Interface (text string)

What interface the ARP event occurred on.

Ethernet Address (text string)

The MAC address tied to the IP address (prefix).

Static (integer)

Value is 0 if ARP entry was dynamically learned, and 1 if statically assigned.

Delta (text string)

Typical entries are added and removed.

Counter (unique integer)

Every time an entry is made, it is assigned a counter value as a unique identifier for this record.

Let’s see this table in action. First, here is the list of existing ARP entries:

Arista(config)#sho arp
Address         Age (min)  Hardware Addr   Interface
192.168.1.1             0  0014.6aa2.d438  Management1
192.168.1.200           0  0002.55b7.da9d  Management1

Now I’ll add a static ARP entry to my switch by mapping the IP address 192.168.1.2 to the MAC address learned for 192.168.1.1:

Arista(config)#arp 192.168.1.2 0014.6aa2.d438 arpa

Let’s see what the Event Monitor database shows now that I’ve added the static ARP:

Arista(config)#sho event-monitor arp
2012-05-23 02:34:12|192.168.1.200|Management1|00:02:55:b7:da:9d|0|
added|3
2012-05-23 02:34:12|192.168.1.200|Management1|||removed|4
2012-05-23 06:38:49|192.168.1.1|Management1|00:14:6a:a2:d4:38|0|
added|26
2012-05-23 18:11:27|192.168.1.200|Management1|00:02:55:b7:da:9d|0|
added|27
2012-05-25 16:05:37|192.168.1.2|Management1|00:14:6a:a2:d4:38|1|
added|108
% Writing 1 Arp, 0 Route, 1 Mac events to the database

Take a look at the line in bold, and let’s apply what we know. At 4:05 p.m. on May 25th, 2012, a static ARP was added that mapped the IP address 192.168.1.2 to the MAC address 00:14:6a:a2:d4:38. The ARP entry became active on interface Management1.

Now I’ll go in and delete the static ARP entry:

Arista(config)#no arp 192.168.1.2 0014.6aa2.d438 arpa

And here’s the output from the show event-monitor arp command after the change:

Arista(config)#sho event-monitor arp
2012-05-23 02:34:12|192.168.1.200|Management1|00:02:55:b7:da:9d|0|added|3
2012-05-23 02:34:12|192.168.1.200|Management1|||removed|4
2012-05-23 06:38:49|192.168.1.1|Management1|00:14:6a:a2:d4:38|0|added|26
2012-05-23 18:11:27|192.168.1.200|Management1|00:02:55:b7:da:9d|0|added|27
2012-05-25 16:05:37|192.168.1.2|Management1|00:14:6a:a2:d4:38|1|added|108
2012-05-25 16:06:56|192.168.1.2|Management1|||removed|109
% Writing 1 Arp, 0 Route, 0 Mac events to the database

Reading the line in bold, we can see that at 4:06 p.m. on May 25th, 2012, the ARP entry for the IP address 192.168.1.2 was removed. The ARP entry was previously active on interface Management1.

Remember that ARP entries are only made on the switch when the switch communicates directly using IP, or if the ARP table is manually manipulated. If you have no IP addresses active on your switch, this table will be empty. For example, if you manage your switches solely though console servers, and don’t even use the Management interface, you may not need to have IP addresses active on your switch at all. In this case, there would be no ARP activity to record.

MAC

MAC changes are logged any time a MAC address is learned, added, or deleted. This can happen a lot on a busy switch, but it might not happen much at all on a smaller, stable network. This can be a pretty useful tool, and I’ll show you how, so let’s start by taking a look at the table the same way we did for the ARP table. First, let’s look at the schema with the .schema mac sqlite command:

Arista#sho event-monitor sqlite .schema mac
CREATE TABLE mac( time text, fid integer, ethAddr text, intf text,
type text, delta text, counter integer UNIQUE);
% Writing 0 Arp, 0 Route, 2 Mac events to the database

Here’s the breakdown of the fields:

Time (text string)

The time in which this log entry was added.

FID (integer)

FID stands for Filter ID. Switches keep an internal database of VLANs, and Arista switches assign internal VLANs to certain ports. This number will likely be unimportant to you, since the interface on which the MAC address was learned is also present.

Ethernet Address (MAC) (text string)

The MAC address related to this event.

Interface (text string)

The interface on which this MAC event occurred.

Type (text string)

How did the entry change? A typical value would be learnedDynamicMac. When a MAC address is removed from the table, this field is null. If you statically add a MAC address with the mac address-table static command, this field will read configuredStaticMac.

Delta (text string)

How did the entry change? Typical entries are added and removed.

Counter (unique integer)

Every time an entry is made, it is assigned a counter value as a unique identifier for this record.

So let’s look at an example of how I like to use this feature. Generic Bob comes up to you at 4:30 p.m. on a Friday and says, “Hey, the network sucks.”

“What is it this time, Bob?” you ask, trying really hard not to roll your eyes since you read that chapter in Network Warrior about how not to be that guy.

“My system doesn’t work, and it used to. Nothing changed, and I don’t feel like thinking, so it has to be the network.”

After a heavy sigh, you stop the important work you were doing and focus on Generic Bob’s dilemma. “Where are you connected, Bob?”

“How should I know? You’re the network guru, and it’s your crappy network, so you figure it out.”

Repressing the thoughts that are better left to mystery writers and psychopaths, you ask, “Well, do you know your IP address?”

“No, I think it’s dynamic or something. Will this take long?”

“Look Bob, I need either the IP address or the MAC address to find your system. Get me either of those, or even better, both, and I’ll see what I can find, OK?”

Generic Bob storms off to do his generic thing while you pull up your résumé. Just as you start to include all your Arista switch experience, Bob comes back and thrusts a piece of paper at your face. “Here’s your Mick address.”

You smile the false, hopeless smile of the damned, gently take the paper, and log in to your Arista switch. Generic Bob’s coffee-stained paper has 3c:07:54:43:88:d4 scribbled on it in what appears to be red crayon, or maybe lipstick.

With event-monitor, you have a record of every MAC event for quite some time. Using the match-mac keyword, you pull up the event-monitor mac table including only events regarding the MAC address you care about:

Arista#sho event-monitor mac match-mac 3c:07:54:43:88:d4
2012-11-03 09:18:08|1006|3c:07:54:43:88:d4|Ethernet24|
learnedDynamicMac|added|549
2012-05-26 16:19:51|1|3c:07:54:43:88:d4|Ethernet6|learnedDynamicMac|
added|553

Looking at this data, you can see that Generic Bob’s MAC address was first learned on January 11th, 2012, and this switch saw it on interface e24. Since you know that e24 is an uplink to another switch, you know that Bob’s system was originally on another switch.

But the next line shows that the MAC address was learned today (hey, it was today when I wrote it), at 4:19 p.m. on the switch’s local interface, e6. That seems odd, so you look at the running-config for e6 on this switch:

Arista#sho run int e6
interface Ethernet6
   description [ Unused ]
   switchport access vlan 999

Since you’ve configured the switch with a dead VLAN (999) that you put on all unused ports, you’re sure that Generic Bob glommed a free interface on a different switch than the one to which he was assigned. With a couple of short commands, you’ve shown that Generic Bob was lying because someone had clearly moved his system from one switch to another, and that’s why it stopped working. You can’t blame the guy for thinking the new Arista switches would give him better performance, but plugging into network ports without prior authorization should not be tolerated.

I’ll leave it to your imagination as to how you might deal with Generic Bob now that you have the tools to prove him wrong. Just try not to be that guy…much. I’d probably just smile and tell him to put his system back into the network port where it belonged, and then make sure his access to the data center was revoked, but not until I was done adding Event Monitor to my resume.

Note

This story is a complete fabrication. I’ve never met anyone named Bob who wrote a Mick address in red crayon. I did know someone who wrote her address in lipstick once, but that’s a story for another book. OK, that’s actually a fabrication too.

Route

If you’ve got your switches configured for IP routing, the show event-monitor route command can be a great tool to see historical information regarding route changes. As with the others, let’s take a look at the schema, and then work up an example to see it in action:

Arista#sho event-monitor sqlite .schema route
CREATE TABLE route( time text, prefix text, protocol text, metric integer, 
    preference integer, delta text,counter integer UNIQUE );

Here’s the breakdown of the fields from the route table:

Time (text string)

The time in which this log entry was added.

Prefix (text string)

The IP prefix, including the Classless Internet Domain Routing (CIDR) mask related to the route entry.

Protocol (text string)

I would imagine that this should read the protocol from which the prefix was learned or removed, but I’ve only ever seen this field read invalid when a route is added, or null when a route is removed.

Metric (integer)

Again, I would assume this field should contain the metric for the route, but I’ve never been able to make it say anything other than 0 when adding a route, and null when removing a route.

Preference (integer)

This field should include the administrative distance for the route, but in my testing, this field reports a 1 regardless of route type learned.

Delta (text string)

How did the entry change? Typical entries are added and removed.

Counter (unique integer)

Every time an entry is made, it is assigned a counter value as a unique identifier for this record.

Note

I submitted my observation regarding the odd behaviors in this table to Arista TAC and received notification that this is a bug (ID #30146), which is scheduled to be resolved in the next major release of EOS. As of August 2012, Arista has not decided on whether that version will be called v4.11 or v5.0.

Let’s start with a simple example. Here, I’ll add a static route to the switch:

Arista(config)#ip route 20.20.20.0/24 192.168.1.1

Using the match-ip ip-prefix option, here’s what shows up in the Event Monitor:

Arista(config)#sho event-monitor route match-ip 20.20.20.0/24
2012-05-27 00:54:40|20.20.20.0/24|invalid|0|1|added|1310

Now I’ll delete that route:

Arista(config)#no ip route 20.20.20.0/24 192.168.1.1

And an appropriate remove message shows up in the Event Monitor:

Arista(config)#sho event-monitor route match-ip 20.20.20.0/24
2012-05-27 00:54:40|20.20.20.0/24|invalid|0|1|added|1310
2012-05-27 00:56:29|20.20.20.0/24||||removed|1312

When the switch learns routes through other means, the results are pretty much the same, but since I went through the trouble to prove that to myself, I figure it’s only fair to share.

First, I’ll show what the routing table looks like:

Arista#sho ip route | begin Gateway
Gateway of last resort:
 S      0.0.0.0/0 [1/0] via 192.168.1.1

 C      30.30.30.0/24 is directly connected, Loopback0
 C      192.168.1.0/24 is directly connected, Vlan901

Next, I’ll add a simple OSPF configuration:

Arista(config)#router ospf 100
Arista(config-router-ospf)#network 192.168.1.0/24 area 0
Arista(config-router-ospf)#redistribute connected

Make sure we have a working neighbor (I’m not showing the neighbor’s configuration because it’s not an Arista switch, and really, who wants to see that?):

Arista(config-router-ospf)#sho ip ospf neighbor
Neighbor ID     Pri   State            Dead Time   Address         Interface
70.91.46.85       1   FULL/DR          00:00:34    192.168.1.1     Vlan901

So now that OSPF is up and working, let’s see what routes we’ve learned from our neighbor:

Arista#sho ip route | begin Gateway
Gateway of last resort:
 S      0.0.0.0/0 [1/0] via 192.168.1.1

 C      30.30.30.0/24 is directly connected, Loopback0
 O E2   192.168.0.0/24 [110/10] via 192.168.1.1
 C      192.168.1.0/24 is directly connected, Vlan901
 O E2   192.168.2.0/24 [110/10] via 192.168.1.1

Now that we’ve got two OSPF routes learned, each of which has a metric of 10, let’s take a look at Event Monitor. Before I do that, I’m going to clear out the buffer using the event-monitor clear command, because there’s too much output to wade through, and I’m tired of filtering the output:

Arista(config)#event-monitor clear
Clearing buffer and forever logs

Since I cleared the buffer with the event-monitor clear command, the counters at the end of the lines have restarted. Notice also that the OSPF routes shown previously show a metric of 10, but the route entries in the Event Monitor show protocol values of invalid, and metric values of 0:

Arista(config-router-ospf)#sho event-monitor route
2012-05-27 01:35:07|192.168.0.0/24|invalid|0|1|added|7
2012-05-27 01:35:07|192.168.2.0/24|invalid|0|1|added|8
% Writing 0 Arp, 4 Route, 4 Mac events to the database

Now let’s see what happens when I remove OSPF from the switch. First, I’ll remove the protocol from active duty:

Arista(config)#no router ospf 100

Then take a quick look to make sure all my OSPF routes are gone:

Arista(config)#sho ip route | beg Gateway
Gateway of last resort:
 S      0.0.0.0/0 [1/0] via 192.168.1.1

 S      20.20.20.0/24 [155/0] via 192.168.1.1
 C      30.30.30.0/24 is directly connected, Loopback0
 C      192.168.1.0/24 is directly connected, Vlan901

And finally, a look into the Event Monitor to see how it responded:

Arista(config)#sho event-monitor route
2012-05-27 01:35:07|192.168.0.0/24|invalid|0|1|added|7
2012-05-27 01:35:07|192.168.2.0/24|invalid|0|1|added|8
2012-05-27 01:39:02|192.168.0.0/24||||removed|11
2012-05-27 01:39:02|192.168.2.0/24||||removed|12
% Writing 0 Arp, 2 Route, 2 Mac events to the database

As you can see, it reacts pretty much the same way as when I added and removed static routes. Convinced that I could get the protocol field to show something other than invalid, I fired up a similar test using BGP. Again, I’m only showing the Arista side of things because this isn’t a lesson on routing, but rather a view into the workings of Event Monitor.

Note

Again, this behavior is a result of bug ID #30146, which is scheduled to be resolved in EOS version 5.0.0. Though I would love to have waited for 5.0.0 to come out before finishing this book, I ran out of time, so I had no choice but to report how it works at the time of writing (mid-2012). Besides, updating this chapter goes right into my “reasons O’Reilly should approve the 2nd edition” file for later use.

Here’s my quick and dirty BGP config, just to show that the protocol, metric, and preferences never change:

Arista(config)#router bgp 100
Arista(config-router-bgp)#neighbor 192.168.1.1 remote-as 100

And here’s the newly learned BGP route sitting snug in the routing table:

Arista(config-router-bgp)#sho ip route | begin Gateway
Gateway of last resort:
 S      0.0.0.0/0 [1/0] via 192.168.1.1

 S      20.20.20.0/24 [155/0] via 192.168.1.1
 C      30.30.30.0/24 is directly connected, Loopback0
 C      192.168.1.0/24 is directly connected, Vlan901
 B I    192.168.2.0/24 [200/0] via 192.168.1.1

And here’s the new route as seen in event-monitor:

Arista#sho event-monitor route
2012-05-27 02:00:51|192.168.2.0/24|invalid|0|1|added|18

Now I’ll remove BGP from the switch:

Arista(config)#no router bgp 100

And show that the BGP route is gone:

Arista(config)#sho ip route | beg Gateway
Gateway of last resort:
 S      0.0.0.0/0 [1/0] via 192.168.1.1

 S      20.20.20.0/24 [155/0] via 192.168.1.1
 C      30.30.30.0/24 is directly connected, Loopback0
 C      192.168.1.0/24 is directly connected, Vlan901

And here’s the final output from event-monitor:

Arista(config)#sho event-monitor route
2012-05-27 02:00:51|192.168.2.0/24|invalid|0|1|added|18
2012-05-27 02:01:44|192.168.2.0/24||||removed|19

Advanced Usage

Event monitor uses sqlite, as I’ve already stated, but using the CLI commands really doesn’t allow the full use of sqlite if you’ve got SQL skills. Luckily, there are a few ways to get to the good stuff.

First, you can issue sqlite commands through the show event-monitor sqlite sqlite-command command as you’ve already seen. Let’s get a list of all the databases, so we’ll need to list the tables. The sqlite command, .tables, does just that. So, let’s add that to our command:

Arista#sho event-monitor sqlite .tables
arp    mac    route

That makes sense, since the only things we can use Event Monitor for (as of EOS 4.9.3.2) is ARP, MAC, and route changes. Being nosy, I decided that I wanted to know where the database was actually stored.

Here’s a great example of why I love Arista products. Instead of bugging the guys at Arista for information about the default database location, I dug in and tried to figure it out on my own. Because everything is open and not some custom application, a little bit of online research revealed tips and tricks for using sqlite. The sqlite command, .databases, will show the location of the database files in use. By using the sqlite keyword and appending this command, I easily found what I wanted:

Arista#sho event-monitor sqlite .databases
seq  name             file
---  ---------------  ----------------------------------------------------------
0    main             /tmp/eventMon.db

Note

You can also get some helpful commands by issuing the sho event-monitor sqlite .help command in CLI.

You can do almost anything you’d like this way, though I’ve had trouble trying to stack sqlite commands though the CLI with this method. Thankfully, there’s a way around this. By issuing the event-monitor interact command from CLI, you’ll drop into sqlite’s own command-line interface:

Arista#event-monitor interact
SQLite version 3.6.23.1
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite>

From here, you can do anything you could do as if you ran the sqlite command from the bash prompt. I’d suggest spending a bit of time learning simple sqlite commands before you play with this, but remember these two key points: every command must be terminated with a semicolon, and use .quit or Control-D to exit. Here’s the command to list all the entries in the route table:

sqlite> select * from route;
2012-05-27 02:00:51|192.168.2.0/24|invalid|0|1|added|18
2012-05-27 02:01:44|192.168.2.0/24||||removed|19
sqlite>^D
Arista#

Of course, if you feel the need to access the program from bash, you may do so with the sqlite3 command (on EOS v4.9.3.2). First I’ll drop into bash:

Arista#bash

Arista Networks EOS shell

[GAD@Arista ~]$

And from there, I’ll issue the sqlite3 command:

 [GAD@Arista ~]$ sqlite3
SQLite version 3.6.23.1
Enter ".help" for instructions
Enter SQL statements terminated with a ";"

And now I can issue my commands:

sqlite> select * from route;
Error: no such table: route

Whoops! When I dropped to bash, I lost the friendly CLI frontend to sqlite. From bash, I need to specify the database to use when starting sqlite (unless I’m going to create a new one from scratch). Remember back a bit when I showed where the database was? Now’s the time to use that information:

[GAD@Arista ~]$ sqlite3 /tmp/eventMon.db
SQLite version 3.6.23.1
Enter ".help" for instructions
Enter SQL statements terminated with a ";"

Now we can select from our tables just like we did before:

sqlite> select * from route;
2012-05-27 02:00:51|192.168.2.0/24|invalid|0|1|added|18
2012-05-27 02:01:44|192.168.2.0/24||||removed|19

And remember that Control-D or .quit gets you out:

sqlite>.quit
[GAD@Arista ~]$

Configuring Event Monitor

The database for Event Monitor is found in the /tmp directory. This directory does not survive a reboot, so all of the Event Monitor entries will be lost every time the switch reboots. If you’d like to keep a (sort of) permanent log of these events, then you’ll need to give Event Monitor a location to store its logs in the /mnt/flash directory. This can be done with the event-monitor backup path file-path command:

Arista(config)#event-monitor backup path em.log

Specifying a filename without a path will result in the file being placed in flash:

Arista(config)#dir
Directory of flash:/

       -rwx   245827739           Apr 16 04:19  EOS-4.9.1.swi
       -rwx   248665992           May 23 02:16  EOS-4.9.3.swi
       -rwx         137           May 23 02:32  boot-config
       drwx        4096           May 27 12:05  debug
       -rwx      336964           May 27 12:08  em.log.0
       drwx        4096           May 27 12:04  persist
       drwx        4096           May 16 19:27  schedule
       -rwx        1868           May 27 12:03  startup-config
       -rwx           0           May 14 16:46  zerotouch-config

1862512640 bytes total (256790528 bytes free)

If you specify what you think is a full Unix path, such as /home/admin/em.log, you will not get the expected results, as this will translate to flash:/home/admin/em.log:

Arista(config)#event-monitor backup path /home/admin/em.log
Arista(config)#dir
Directory of flash:/

       -rwx   245827739           Apr 16 04:19  EOS-4.9.1.swi
       -rwx   248665992           May 23 02:16  EOS-4.9.3.swi
       -rwx         137           May 23 02:32  boot-config
       drwx        4096           May 27 12:05  debug
       drwx        4096           May 27 12:08  home
       drwx        4096           May 27 12:04  persist
       drwx        4096           May 16 19:27  schedule
       -rwx        1868           May 27 12:03  startup-config
       -rwx           0           May 14 16:46  zerotouch-config

You can specify a Unix path. The command provides two options when asked:

Arista(config)#event-monitor backup path ?
  file:   forever log URL
  flash:  forever log URL

The idea of a forever log sounds oddly romantic, like rescuing a dog from the pound and bringing him to his forever home, but what this file versus flash choice is offering is the choice between a Unix path (file:) or a CLI path (flash:). By not specifying either, the parser will assume flash:. That’s why our previous command, using /home/admin created a directory in flash:. To actually put the file in /home/admin (which would be dumb, since /home will not survive a reboot either), use the following command, incorporating file: at the beginning of the path:

Arista(config)#event-monitor backup path file:/home/admin/em.log

That will put the database file where you want it:

Arista#bash ls /home/admin
em.log.0

Note

The EOS device, file:, is a pseudodevice that lets you access the Linux file system from within CLI. You can use it anywhere you would use another device name, such as copy flash:GAD.txt file:/tmp.

You may have noticed that my files all have a .0 appended to them, although I did not specify that. Event monitor will write 500 events to the file, after which it will create a new file, appended with a .1. The logs are circular, so when the last log (default .200) is reached, the .0 file is deleted, and new data will be written there. That’s why I wrote earlier that these files were sort of permanent. To configure how many logfiles you would like to retain, use the event-monitor backup max-size number command:

Arista(config)#event-monitor backup max-size ?
  <1-200>  maximum number of stored backup logs

I’ll specify 10 logfiles, for no other reason than I like the number 10:

Arista(config)#event-monitor backup max-size 10

To disable Event Monitor completely, use the no event-monitor all configuration command:

Arista(config)#no event-monitor all

To enable only one of the Event Monitor functions, use the event-monitor command, followed by the function (mac, arp, or route) that you’d like to enable. You can also disable single functions by negating these commands:

Arista(config)#event-monitor route

To enable them all again, use the all keyword:

Arista(config)#event-monitor all

Finally, you can configure a max buffer size for Event Monitor. The Arista manuals show the buffer size in Kb (kilobits), which I kind of think is a mistake, but if it’s not, one kilobit = 128 bytes.

The buffer size can be configured from 6 to 50 units in size. If backup logs are configured, they are written to when the buffer becomes full:

  Arista(config)#event-monitor buffer max-size ?
  <6-50>  maximum size of the primary event monitor log

For most environments, leaving the Event Monitor as is and enabled probably makes the most sense. I see no reason to disable it, and even though you might use it rarely, it can be an invaluable tool when you do need it.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.43.134