Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Example: Triggering a Policy Based on Event Count

 

This section discusses two examples.

Note

The RADIUS_LOGIN_FAIL, TELNET_LOGIN_FAIL, and SSH_LOGIN_FAIL events are not actual Junos OS events. They are illustrative for these examples.

Example 1

Configure an event policy called login. The login policy is executed if five login failure events (RADIUS_LOGIN_FAIL, TELNET_LOGIN_FAIL, or SSH_LOGIN_FAIL) are generated within 120 seconds. Take action by executing the login-fail.xsl event script, which disables the user account.

Table 1 shows how events add to the count.

Table 1: Event Count Triggers Policy

Event Number

Event

Time

Count

Order

1

RADIUS_LOGIN_FAIL

00:00:00

1

[1]

2

TELNET_LOGIN_FAIL

00:00:20

2

[1 2]

3

RADIUS_LOGIN_FAIL

00:02:05

2

[2 3]

4

SSH_LOGIN_FAIL

00:02:40

2

[3 4]

5

TELNET_LOGIN_FAIL

00:02:55

3

[3 4 5]

6

TELNET_LOGIN_FAIL

00:03:01

4

[3 4 5 6]

7

RADIUS_LOGIN_FAIL

00:03:55

5

[3 4 5 6 7]

The columns in Table 1 mean the following:

  • Event number—Event sequence number.

  • Event—Policy login events received by the event process (eventd).

  • Time—Time (in hh:mm:ss format) when eventd receives the event.

  • Count—The number of events received by eventd within the last 120 seconds.

  • Order—Order of events as received by eventd within the last 120 seconds.

At time 00:03:55, the value of count is more than 4; therefore, the login policy executes the login-fail.xsl script.

Example 2

Configure an event policy called login. The login policy is executed if five login failure events (RADIUS_LOGIN_FAIL, TELNET_LOGIN_FAIL, or SSH_LOGIN_FAIL) are generated within 120 seconds from username roger. Take action by executing the login-fail.xsl event script, which disables the roger user account.