6.6 Event Monitor
The event monitor writes system event records to local files for access by SQLite database commands.
Note Beginning with release EOS-4.20.5F, event-monitor is not enabled by default. Use the config# event-monitor command to explicitly enable event-monitor.
6.6.1 Description
The event monitor receives notifications for important events or changes to the enabled event monitor tables. These changes are logged to a fixed-size circular buffer. The size of this buffer is configurable, but it does not grow dynamically. Buffer contents can be stored to permanent files to increase the event monitor effective capacity. The permanent file size and the number of permanent files is configurable. The buffer is stored at a fixed location on the switch.
Specific event monitor queries are available through CLI commands. For queries not available through specific commands, manual queries are supported through other CLI commands. When the user issues a query command, the relevant events from the circular buffer and permanent files are written to and accessed from a temporary SQLite database file. The database keeps a separate table for each logging type (such as mac, arp, route, and others). When the monitor receives notification of a new event, the database file is deleted, then recreated.
6.6.2 Configuring the Event Monitor
Enabling the Event Monitor
The event-monitor command enables the event monitor and specifies the types of events that are logged. The event monitor is an event logging service that records system events to a local database. The event monitor records these events:
all      changes to all events.
arp      changes to the ARP table (IPv4 address to MAC address mappings).
Neighbor      changes to the neighbor table (IPv6 address to MAC address mappings)
backup      backed up log files.
buffer      changes to the local buffer settings.
IGMP snooping     changes to the IGMP snooping table.
lacp      changes to the LACP table events.
mac      changes to the MAC address table (MAC address to port mappings).
mroute      changes to the IP multicast routing table.
neighbor      changes to the neighbor routing table.
route      changes to the IPv4 routing table.
route6      changes to the IPv6 routing table.
stpunstable      events that cause STP instability.
Beginning with release EOS-4.20.5F, event-monitor is not enabled by default. Use the event-monitor command to explicitly enable event-monitor.The no event-monitor all disables the event monitor. The no event-monitor command, followed by a log type parameter, disables event recording for the specified type.
Example
This command disables the event monitor for all types of events.
switch(config)#no event-monitor all
This command enables the event monitor for routing table changes.
switch(config)#event-monitor route
The event-monitor clear command removes the contents of the event monitor buffer. If event monitor backup is enabled, this command removes the contents from all event monitor backup files.
Example
This command clears the contents of the event monitor buffer.
switch#event-monitor clear
switch(config)#
Configuring the Buffer
The event-monitor buffer max-size command specifies the size of the event monitor buffer. The event monitor buffer is a fixed-size circular data structure that receives event records from the event monitor. When event monitor backup is enabled, the buffer is copied to a backup file before each rollover. Buffer size ranges from 6 Kb to 50 Kb. The default size is 32 Kb.
Example
This command configures a buffer size of 48 Kb.
switch(config)#event-monitor buffer max-size 48
switch(config)#
Configuring Permanent Files
The event-monitor backup path command enables storage of the event monitor buffer to permanent switch files and specifies the path/name of these files. The command references file location either from the flash drive root directory where the CLI operates (/mnt/flash) or from the switch root directory (/).
The event monitor buffer is circular – after the buffer is filled, new data replaces older data at the beginning of the buffer. The buffer is copied into a new backup file after each buffer writing cycle before the switch starts re-writing the buffer.
Example
These commands configure the switch to store the event monitor buffer in sw-event.log, then display the new file in the flash directory.
switch(config)#event-monitor backup path eventmon_backup_dir/event.log
switch(config)#
bash-4.3# ls /mnt/flash/eventmon_backup_dir/
 
arpevent.log.1 lacpevent.log.1  neighborevent.log.1  routeevent.log.1
igmpsnoopingevent.log.1  macevent.log.1   route6event.log.1    stpunstableevent.log.1
The event-monitor backup max-size command specifies the quantity of event monitor backup files the switch maintains. The switch appends a extension number to the file name when it creates a new file. After every 500 events, the switch deletes the oldest backup file if the file limit is exceeded.
Example
These commands configure the switch to back up the event buffer to a series of files named sw-event.log. The switch can store a maximum of four files.
switch(config)#event-monitor backup path sw-event.log
switch(config)#event-monitor backup max-size 4
switch(config)#
The first five files that the switch creates to store event monitor buffer contents are:
sw-event.log.0
sw-event.log.1
sw-event.log.2
sw-event.log.3
sw-event.log.4
The switch deletes sw-event.log.0 the first time it verifies the number of existing backup files after the creation of sw-event.log.4.
6.6.3 Querying the Event Monitor
These CLI commands perform SQL-style queries on the event monitor database:
The show event-monitor arp command displays ARP table events.
The show event-monitor mac command displays MAC address table events.
The show event-monitor route command displays routing table events.
Example
This command displays all events triggered by MAC address table events.
switch#show event-monitor mac
% Writing 0 Arp, 0 Route, 1 Mac events to the database
2012-01-19 13:57:55|1|0808.0808.0808|Ethernet1|configuredStaticMac|added|0
For other database queries, the show event-monitor sqlite command performs an SQL-style query on the database, using the statement specified in the command.
Example
This command displays all entries from the route table.
switch#show event-monitor sqlite select * from route;
2019-09-30 14:01:21.659428|16.16.16.255/32|default|receiveBcast|0|0|updated|20
2019-09-30 14:01:21.659464|192.168.201.12/30|default|connected|1|0|updated|21
2019-09-30 14:01:21.659497|192.168.1.255/32|default|receiveBcast|0|0|updated|22
2019-09-30 14:01:21.659503|192.168.201.8/32|default|receiveBcast|0|0|updated|23
2019-09-30 14:01:21.659512|16.16.16.0/32|default|receiveBcast|0|0|updated|24
2019-09-30 14:01:21.659517|192.168.201.12/32|default|receiveBcast|0|0|updated|25
2019-09-30 14:01:21.659524|192.168.201.15/32|default|receiveBcast|0|0|updated|26
2019-09-30 14:01:21.659541|192.168.201.8/30|default|connected|1|0|updated|27
2019-09-30 14:01:21.659564|16.16.16.0/24|default|connected|1|0|updated|28
2019-09-30 14:01:21.659578|192.168.201.9/32|default|receive|0|0|updated|29
 
6.6.4 Accessing Event Monitor Database Records
The event-monitor interact command replaces the CLI prompt with an SQLite prompt. The event monitor buffer and all backup logs are synchronized into a single SQLite file and loaded for access from the prompt.
To access help from the SQLite prompt, enter .help
To exit SQLite and return to the CLI prompt, enter .quit or .exit
The event-monitor sync command combines the event monitor buffer and all backup logs and synchronizes them into a single SQLite file. The data can be accessed through SQLite or by using the show event-monitor commands described above.
Examples
This command replaces the EOS CLI prompt with an SQLite prompt.
switch#event-monitor interact
sqlite>
This command exits SQLite and returns to the EOS CLI prompt.
sqlite> .quit
switch#
This command synchronizes the buffer and backup logs into a single SQLite file.
switch(config)#event-monitor sync
switch(config)#