Correlating Events

You can configure a policy that correlates two or more events. If the correlated events occur as specified, they cause particular actions to be taken. For example, you might want to issue certain operational mode commands when a UI_CONFIGURATION_ERROR event is generated within five minutes (300 seconds) after a UI_COMMIT_PROGRESS event. As another example, you might want to upload a particular file if a DCD_INTERFACE_DOWN event is generated two times within a 60-second interval.

To configure a policy that correlates events, include the following statements at the [edit event-options] hierarchy level:

[edit event-options]

policy policy-name {

    events [ events ];

    within seconds not events [ events ];

    attributes-match {

        event1.attribute-name equals event2.attribute-name; 

        event.attribute-name matches regular-expression;

        event1.attribute-name starts-with event2.attribute-name;

    }

}

In the events statement, you can list multiple events. To view a list of the events that can be referenced in an event policy, issue the set event-options policy policy-name events ? configuration mode command:

user@host# set event-options policy policy-name events ?

Possible completions:

  <event>              

  [                    Open a set of values

  acct_accounting_ferror  

  acct_accounting_fopen_error 

...

In addition, you can reference internally generated events, which are discussed in Generating Internal Events.

The actions configured in the then statement are executed only if certain conditions are met, which you specify in the within and attributes-match statements.

You can configure a policy that is executed only if a specified event occurs within a specified time interval after another event. You do this by including the within seconds events statement. The policy is executed only if one or more of the events in the first events statement occur within a configured number of seconds after one or more of the events in the within seconds events statement. The number of seconds can be from 60 through 604,800. The not statement causes the policy to be executed only if the events do not occur within the configured time interval.

For example, the following policy is executed if event3, event4, or event5 occurs within 60 seconds after event1 or event2 occurs:

event-options {

    policy 1 {

        events [ event3 event4 event5 ];

        within 60 events [ event1 event2 ];

        then {

            ...

        }

    }

}

The attributes-match statement correlates two events as follows:

• event1.attribute-name equals event2.attribute-name—Execute the policy only if the specified attribute of event1 equals the specified attribute of event2.
• event.attribute-name matches regular-expression—Execute the policy only if the specified attribute of event matches a regular expression. For more information, see Using Regular Expressions to Refine the Set of Events That Cause a Policy to Be Executed.
• event1.attribute-name starts-with event2.attribute-name—Execute the policy only if the specified attribute of event1 starts with the specified attribute of event2.

You can include the attributes-match statement only if you include one or more within statements in the same policy configuration. This means the events are correlated only if they occur within a specified time period.

To view a list of all event attributes that you can reference, issue the help syslog event operational mode command. The output of this command shows the event attributes in angle brackets (<>). The following output shows that three attributes can be referenced for the ACCT_ACCOUNTING_SMALL_FILE_SIZE event: filename, filesize, and record-size.

user@host> help syslog ACCT_ACCOUNTING_SMALL_FILE_SIZE 

Name:           ACCT_ACCOUNTING_SMALL_FILE_SIZE

Message:       File <filename> size (<filesize>) is smaller than record size 
(<record-size>)

Another way to view the attributes you can reference is by issuing the set attributes-match event? command at the [edit event-options policy policy-name] hierarchy level, as shown in the following example:

[edit event-options policy p1]

user@host# set attributes-match acct_accounting_small_file_size?                                

Possible completions:

  <from-event-attribute>  First attribute to compare

  acct_accounting_small_file_size.filename  

  acct_accounting_small_file_size.filesize  

  acct_accounting_small_file_size.record-size 

For configuration examples, see Ignoring Events Based on Receipt of Other Events, Correlating Events Based on Event Attributes, and Controlling Event Policy Using a Regular Expression.