Cisco EEM Embedded Event Manager Fundamentals

The Embedded Event Manager (EEM) on Cisco IOS devices is a distributed and customized solution for event detection and recovery. When the monitored events happen or a threshold is reached, EEM allows you to track them and execute instructive, corrective, or other EEM actions. An EEM policy is a piece of software that describes a specific event and the actions that should be implemented in response to it.

There are two independent pieces: Applets and Scripting

  • Applets are a collection of CLI commands
  • Scripts are actions coded up in TCL(interpreter language)

EEM Cisco Detectors

  • SNMP:-Monitoring SNMP objects.
  • Syslog:-Responds to various Syslog messages, allowing for matching on regular expressions.
  • Counter: Monitoring and responding to interface counter when crossing threshold settings.
  • CLI events: Screening CLI input for a regular expression match.
  • Note: This event detector is used to test the EEM script/applet using the “event manager run” command.
  • Timers :(Countdown, watchdog, and CRON)
  • IP SLA and Netflows events.


Embedded Event Manager (EEM) is a Cisco IOS utility that is both flexible and powerful. Engineers can use EEM to create software applets that can automate a variety of operations. EEM’s power is derived in part from the fact that it allows you to create bespoke scripts in Tcl. Scripts can be run automatically in response to the output of a device action or event. One of the most significant advantages of EEM Cisco is that everything is contained on the local device. In most circumstances, an external scripting engine or monitoring device is unnecessary.


 EEM Event Detectors

EEM Cisco Applets

EEM Cisco applets are made up of several components. This chapter focuses on events and actions, two of the most important components of EEM applets. The logic of EEM applets is similar to that of if-then statements in several programming languages (for instance, if an event happens, then an action is taken). The following example shows how to monitor Syslog messages using an EEM applet on a router.

The applet below searches for a specific Syslog message reporting that the Loopback0 interface has gone down. Regular expressions are used to match the specific Syslog message. This is a granular and powerful method of pattern matching. The following actions will be executed if this exact Syslog pattern is matched (an event) at least once:

1. Because of shutdown and no shutdown, the Loopback0 interface will be shut down and brought back up.

2. “I’ve fallen and I can’t get up!” the router will remark in a Syslog report. ”

3. The network administrator will receive an email message containing the contents of the display interface loopback0 command.

EEM can be used in a variety of ways. From applets to scripting, an engineer’s imagination is the only limit to the possibilities. EEM offers on-box monitoring of a variety of components depending on a set of events. An action can be taken once an event has been noticed. This makes network monitoring more proactive rather than reactive, reducing network load and increasing monitoring system efficiency by allowing devices to simply report when anything goes wrong rather than asking them if something is wrong on a regular basis.

When adding new devices to a network, there are several processes that must be followed. These procedures are frequently time-consuming and repetitious. The high-level distinctions between agent-based and agentless automation and configuration management systems are compared in this section. Understanding how different tools work can tremendously aid network operators in determining the value that each tool can provide. There is a lot of overlap between the jobs or steps that different programs can automate. Some tools follow a similar path. There are instances, however, when using various tools from different software companies is necessary. The ability to move more quickly than with manual configuration is a big benefit of employing automation and configuration management systems. Furthermore, the adoption of proven and validated automation technologies helps to ensure that the amount of risk due to human mistakes is greatly minimized. A network operations team manually setting 1000 devices by login into each device separately is likely to cause misconfigurations, and the procedure would take a long time. Some of the most popular and recurring setups for which network operators use automation technologies to improve speed and consistency are as follows:

  • Device name/IP address
  • Quality of service
  • Access list entries
  • Usernames/passwords
  • SNMP settings
  • Compliance

Cisco embedded management family

SNMP, NetFlow, IP SLA, Web Services Management Agent, Syslog, ESM (Embedded Syslog Manager), ERM (Embedded Resource Manager), EMM (Embedded Menu Manager), Tcl, and Service Diagnostics are all embedded management technologies in Cisco IOS.

When EEM detects a scenario, it employs policies to trigger actions based on the type of event and the policy settings. Three sorts of programming activities are currently supported by EEM EEM supports three methods of programmability and scripting.

1. Applets allow CLI to be launched when a set of circumstances is met.

2. EEM supports Tcl (Tool Command Language) development when more complicated programs are required.

3. (IOS shell) macros are supported in newer versions of IOS, similar to Linux bash shell macros.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: