Alongside SNMP and Syslog, many Cisco devices can also be configured to send email alerts and notifications in response to a pre-determined event. This can be useful to provide notification to a network administrator of device faults and status changes, security concerns and configuration changes. Email alerting is configured via the Embedded Event Manager (EEM) which runs within IOS.
Not all Cisco devices support the sending of email alerts via EEM. Refer to the documentation for your device and IOS version to verify compatibility. For example, the steps in this article will work on the Cisco Catalyst 3560 and 3750 Series switches such as the WS-C3560-48TS or WS-C3750G-48TS and on the Cisco 1841 Integrated Services Router, but will not work on the Cisco Catalyst 2960-X Series switches such as the WS-C2960XR-48LPS-I.
To configure an alert, an EEM applet needs to be created specifying the event that will trigger it and one or more actions to take. This article will describe how to create an applet and have it send an email alert to an email address of your choice.
Email alerting depends on the functionality of your email infrastructure and failure of this may prevent you receiving critical alerts from your Cisco device. Additionally, the sending of an email alert requires that your device is still (somewhat) functional and still has network connectivity to be able to communicate with your email server. Do not rely solely on email alerting to be notified of issues and instead, configure email alerting in conjunction with other monitoring options such as SNMP or Syslog.
Since responding to multiple different events requires multiple applets, it is recommended to configure environment variables for constants such as the email address that should receive alerts, the email address the device should send emails from and the SMTP server that should be used to send the email. Refer to this article to learn how to configure the appropriate environment variables. The variables that will be used in the following examples are outlined below.
If using a hostname or FQDN instead of IP address for your email server, ensure that name resolution is working by testing that your device can ping that name successfully.
Before beginning to create an applet it is important to decide which events should trigger an email alert. While configuring too few alerts may mean that important events are missed, configuring too many alerts may result in important information being missed amidst a flood of emails. Sending an alert when an interface goes down may be valuable on a core switch connected to key infrastructure devices, but is likely to generate significant false-positives on an access switch used to connect end-user devices.
Refer to the documentation for your Cisco device and IOS version to determine which events warrant an alert being sent.
In this article, alerts will be configured for successful and failed login attempts, changes to the device configuration and changes to an interface's link and line protocol state. The event strings that are generated when one of these events occurs can be found in Cisco's documentation but will also be logged to the device console.
The relevant event string such as SYS-5-CONFIG-I or LINK-3-UPDOWN will be used to specify the Syslog message pattern that an applet should match.
The number in an event string indicates the severity, with 0 being the highest and 7 being the lowest.
From global configuration mode, an applet can be created using the command event manager applet <name>. Within the applet, specify the event string to match using the command event syslog pattern <string> and define the desired actions with the action command. In this example, five applets are created to respond to the five intended events, each of which containing one action to send an email messsage. The email will be sent using the three environment variables configure previously and will include the event timestamp in the subject, as well as the event message in the body.