Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring the Event System Log Priority in an Event Policy

 

It is necessary to log events when monitoring, managing, and troubleshooting routing, switching, and security devices. You can configure an event policy to override the priority of its triggering event so that it is logged based on a different facility type and severity level. This enables the event to be logged even if the system filters events to the destination log file using a different facility type or a higher severity level.

This example simulates an SNMP_TRAP_LINK_UP event for a specific interface. Upon receipt of the event, the event policy overrides the severity level of the event so that it is captured in the configured log file.

Requirements

  • Routing, switching, or security device running Junos OS Release 12.1 or later.

  • Interface is configured and active. This example uses the ge-0/3/1.0 interface.

Overview

This example configures two log files to capture events of facility 'daemon'. One log file is configured to filter for events of severity 'warning' or higher, and the second log file is configured to filter for events of severity 'info' or higher.

The configured event policy triggers on the SNMP_TRAP_LINK_UP event for interface ge-0/3/1.0. The example generates an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event for the ge-0/3/1.0 interface. The SNMP_TRAP_LINK_DOWN event, which has a severity level of 'warning' is captured in both configured log files. Upon receipt of the SNMP_TRAP_LINK_UP event, the event policy overrides the severity level of the event to 'warning' so that it is also captured in the log file that filters for events of severity 'warning'. By default, if the event policy does not override the severity level of this event, it is only captured in the log file that filters for the severity level 'info'.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level:

Configuring the Log Files

Step-by-Step Procedure

  1. Configure two log files at the [edit system syslog] hierarchy level to record events of facility daemon.

    Configure one log to record events of severity 'info' or higher and one log file to record events of severity 'warning' or higher.

  2. Commit the configuration.

  3. To manually test the logging of the events, take the ge-0/3/1.0 logical interface temporarily offline, and then bring it back up.

    This generates an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event.

Results

Verifying the Default System Log Priority of the Events

Purpose

Verify that the system generated the SNMP_TRAP_LINK_DOWN and SNMP_TRAP_LINK_UP events for the ge-0/3/1.0 interface, and note where each event is logged.

Action

Review the contents of the syslog-event-daemon-info file configured in Step 1 of the previous procedure. The output shows that the ge-0/3/1.0 interface was brought down and back up and generated an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event.

bsmith@R1> show log syslog-event-daemon-info

Review the contents of the syslog-event-daemon-warning file configured in Step 1 of the previous procedure. Because the severity level of the SNMP_TRAP_LINK_UP event is 'info', it does not appear in a log file that is configured to only record events of severity 'warning' or higher. By default, this system log file captures the SNMP_TRAP_LINK_DOWN events, but does not capture the SNMP_TRAP_LINK_UP events.

bsmith@R1> show log syslog-event-daemon-warning

Meaning

Because the SNMP_TRAP_LINK_UP event has a default severity of 'info', it is not forwarded to log files that are configured to capture events of higher severity.

Configuring the Event Policy

Step-by-Step Procedure

  1. Create and name the event-policy.

  2. Configure the events statement.

    For this example, the event policy triggers on the SNMP_TRAP_LINK_UP event. Set the attributes-match statement so that the policy triggers only if the SNMP_TRAP_LINK_UP event occurs for the ge-0/3/1.0 interface.

  3. Configure the priority-override event policy action, and include the severity statement with a value of warning.

  4. Commit the configuration.

  5. To manually test the event policy, take the ge-0/3/1.0 logical interface temporarily offline, and then bring it back up. This generates an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event.

Results

Verification

Confirm that the configuration is working properly.

Verifying the Configured System Log Priority of the Events

Purpose

Verify that the system generated the SNMP_TRAP_LINK_DOWN and SNMP_TRAP_LINK_UP events for the ge-0/3/1.0 interface, and note where each event is logged.

Action

Review the contents of the syslog-event-daemon-warning file. Because the event policy overrides the severity level of the SNMP_TRAP_LINK_UP event, it now appears in the log file that is configured to only record events of severity 'warning' or higher. By default, this system log file captures the SNMP_TRAP_LINK_DOWN events, but does not capture the SNMP_TRAP_LINK_UP events.

bsmith@R1> show log syslog-event-daemon-warning

Meaning

Although the SNMP_TRAP_LINK_UP event has a severity of 'info', configuring the priority-override statement with a severity of 'warning' causes the event to be forwarded to the system logs with the configured severity level. The event can be captured in logs that filter for a different facility type and a higher severity level.