Example: Ignore Events Based on Receipt of Other Events
In the following policy, if any of event1
, event2
, or event3
has occurred, and either event4
or event5
has occurred within
the last 600 seconds, and event6
has not occurred within the last 800 seconds, then the event
that triggered the policy (event1
, event2
, or event3
) is ignored, meaning system log messages are not created.
[edit event-options] policy 1 { events [ event1 event2 event3 ]; within 600 events [ event4 event5 ]; within 800 not events event6; then { ignore; } }
Sometimes events are generated repeatedly within a short period of time. In this case, it is redundant to execute a policy multiple times, once for each instance of the event. Event dampening allows you to slow down the execution of policies by ignoring instances of an event that occur within a specified time after another instance of the same event.
In the following example, an action is taken only if the eventd process has not received another instance of the event within the past 60 seconds. If an instance of the event has been received within the last 5 seconds, the policy is not executed and a system log message for the event is not created again.
[edit event-options] policy dampen-policy { events event1; within 60 events event1; then { ignore; } } policy policy { events event1; then { ... actions ... } }