Chapter 27. Event Monitor

The Event Monitor on an Arista switch is a slick little tool that, according to the documentation, “writes system event records to local files for access by sqlite database commands.” While a technically accurate description, allow me to expand on that a bit.

Event monitor is a process that records certain common events on the switch. As of EOS version, the events recorded include changes to the MAC address table (what MAC is mapped to what port), changes to the IP routing table, and changes to the ARP table (MAC address to IP address mapping).


Generally, EOS releases are named in the A.B.C format. When I wrote this chapter, the latest revision was, which included an urgent patch serious enough to warrant a minor release. The revision was quickly replaced by 4.9.4, but the newer release did not effect any of the chapters where I used

OK, I’ll admit that still sounds boring, but let’s dig into this tool and see what it does, and how it might be useful.

Using Event Monitor

The home base for using Event Monitor from EOS is the show event-monitor command. As of EOS v., there are only four options:

Arista#sho event-monitor ?
  arp     Monitor ARP table events
  mac     Monitor MAC table events
  route   Monitor routing events
  sqlite  enter a sqlite statment

There are three tables that we can view, and one very cool option named sqlite. The sqlite option lets us send sqlite commands from EOS to the sqlite database, which, as we’ll see, is pretty darn ...

Get Arista Warrior now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.