Understanding the Event System Log Priority in an Event Policy
Starting in Junos OS Release 12.1, you can configure an event policy to override the default system log priority of a triggering event so that the system logs the event with a different facility type, severity level, or both. To override the priority of the triggering event, configure the priority-override statement at the [edit event-options policy policy-name then] hierarchy level. To override the facility type with which the triggering event is logged, include the facility statement and the new facility type. To override the severity level with which the triggering event is logged, include the severity statement and the new severity level.
Junos OS processes generate system log messages, or event notifications, to record the events that occur on a routing, switching, or security platform. Each system log message identifies the Junos OS process that generated the message and describes the operation or error that occurred. The Junos OS event process (eventd) receives the event notifications, and configured event policies instruct the eventd process to perform a set of actions upon receipt of specific events or correlated events.
Each system log message belongs to a facility, which groups messages that either are generated by the same source (such as a software process) or concern a similar condition or activity (such as authentication attempts). Each message is also preassigned a severity level, which indicates how seriously the triggering event affects the functions of the routing, switching, or security platform. A message’s facility and severity level are together referred to as its priority. For more information about facility and severity levels, see Junos OS System Logging Facilities and Message Severity Levels.
When you configure logging on a device for a specific facility and destination, you also specify a severity level. Messages from that facility that are rated at the configured severity level or higher are logged. To log related events with different severity levels in the same log file, you must filter events using the lowest severity level of any of the events from that facility to be logged. This can result in unwieldy log files that are difficult and time-consuming to parse.
For example, Junos OS logs the protocol UP and DOWN events with different severity levels. Both the SNMP_TRAP_LINK_DOWN and SNMP_TRAP_LINK_UP events have a facility of 'daemon', but the SNMP_TRAP_LINK_DOWN event has a severity level of 'warning', and the SNMP_TRAP_LINK_UP event has a severity level of 'info'. Normally, when you configure a system log file, you must filter events to that file using the lower severity level of 'info' in order to log both of the events.
The event policy priority-override statement enables you to customize the priority of the triggering event so that it is logged using a different facility type and severity level. Suppose you configure a system log file to filter events of facility 'daemon' and severity 'notice’, and you have event policies that trigger on the RPD_ISIS_ADJDOWN and RPD_ISIS_ADJUP events. When the system generates an RPD_ISIS_ADJDOWN message reporting that the IS-IS adjacency with a neighboring router was terminated, this message is logged. However, if the system subsequently generates an RPD_ISIS_ADJUP event notification reporting that the IS-IS adjacency has been restored, by default, the message is not logged, because it has a lower severity level of 'info'. In the event policy that triggers on the RPD_ISIS_ADJUP event, you can configure the associated priority so that the triggering RPD_ISIS_ADJUP event is logged with a severity level of 'notice' and is captured in the configured log file.
Event policies are executed in the order in which they appear in the configuration. When you configure multiple event policies to override the priority of the same event, the event is logged based on the priority set by the last executed event policy to change it.