Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Using Correlated Events to Trigger an Event Policy

 

You can configure a policy that correlates two or more events. If the correlated events occur as specified, they cause particular actions to be taken. For example, you might want to issue certain operational mode commands when a UI_CONFIGURATION_ERROR event is generated within five minutes (300 seconds) after a UI_COMMIT_PROGRESS event. As another example, you might want to upload a particular file if a DCD_INTERFACE_DOWN event is generated two times within a 60-second interval.

To configure a policy that correlates events, include the following statements at the [edit event-options] hierarchy level:

In the events statement, you can list multiple events. To view a list of the events that can be referenced in an event policy, issue the set event-options policy policy-name events ? configuration mode command:

Some of the system log messages that you can reference in an event policy are not listed in the output of the set event-options policy policy-name events ? command. For information about referencing these system log messages in your event policies, see Using Nonstandard System Log Messages to Trigger Event Policies.

In addition, you can reference internally generated events, which are discussed in Generating Internal Events to Trigger Event Policies.

The actions configured in the then statement are executed only if certain conditions are met, which you specify in the within and attributes-match statements.

You can configure a policy that is executed only if a specified event occurs within a specified time interval after another event. You do this by including the within seconds events statement. The policy is executed only if one or more of the events in the first events statement occur within a configured number of seconds after one or more of the events in the within seconds events statement. The number of seconds can be from 60 through 604,800. The not statement causes the policy to be executed only if the events do not occur within the configured time interval.

For example, the following policy is executed if event3, event4, or event5 occurs within 60 seconds after event1 or event2 occurs:

The attributes-match statement correlates two events as follows:

  • event1.attribute-name equals event2.attribute-name—Execute the policy only if the specified attribute of event1 equals the specified attribute of event2.

  • event.attribute-name matches regular-expression—Execute the policy only if the specified attribute of event matches a regular expression. For more information, see Using Regular Expressions to Refine the Set of Events That Trigger a Policy.

  • event1.attribute-name starts-with event2.attribute-name—Execute the policy only if the specified attribute of event1 starts with the specified attribute of event2.

If the attributes-match statement includes the equals or starts-with options, or if it includes a matches option that includes a clause for an event that is not specified at the [edit event-options policy policy-name events] hierarchy level, you must include one or more within statements in the same policy configuration.

Starting in Junos OS Release 11.1, you can use event policy variables within the attributes-match statement to differentiate between a trigger event attribute and a correlated event attribute. The double dollar sign ($$) notation represents the event that is triggering a policy, and {$$.attribute-name} resolves to the value of the attribute of the triggering event. Triggering events are those that you configure at the [edit event-options policy policy-name events] hierarchy level. For correlating events, the single dollar sign with the event name ($event) notation represents the most recent event that matches the event name, and {$event.attribute-name} resolves to the value of the attribute associated with that event.

In the following example, the policy will execute the actions under the then statement if four or more commits are performed within a 5-minute period, and the username of one or more of the correlated events is the same as the username of the trigger event.

To view a list of all event attributes that you can reference, issue the help syslog event operational mode command. The output of this command shows the event attributes in angle brackets (<>). The following output shows that three attributes can be referenced for the ACCT_ACCOUNTING_SMALL_FILE_SIZE event: filename, file-size, and record-size.

user@host> help syslog ACCT_ACCOUNTING_SMALL_FILE_SIZE

You can filter the output of a search by using the pipe (|) symbol. The following example lists the filters that can be used with the pipe symbol:

user@host> help syslog | ?

For more information about using the pipe symbol, see the CLI User Guide.

Another way to view the attributes you can reference is by issuing the set attributes-match event? command at the [edit event-options policy policy-name] hierarchy level, as shown in the following example:

Note

In this set command, there is no space between the event name and the question mark (?).