System Log Priority for Events in Event Policies
Learn how event policies can log a trigger event with a different system log priority.
You can configure an event policy to override the default system log priority of a triggering event so that the system logs the event with a different facility type, severity level, or both.
Understanding the System Log Priority of Events
Junos OS processes generate system log messages, or event notifications, to record the events that occur on a device. Each system log message identifies the Junos OS process that generated the message and describes the operation or error that occurred. The Junos OS event process (eventd) receives the event notifications. The configured event policies instruct the eventd process to perform a set of actions upon receipt of specific events.
Each system log message belongs to a facility, for example, kernel
or daemon. The facility groups messages that are generated by the
same source (such as a software process) or concern a similar condition or activity
(such as authentication attempts). Each message is also preassigned a severity
level, which indicates how seriously the triggering event affects the functions of
the device (for example, warning or critical). A
message’s facility and severity level are together referred to as its priority.
When you configure logging on a device for a specific facility and destination, you also specify a severity level. The device logs messages from that facility that are rated at the configured severity level or higher. To log related events with different severity levels in the same log file, you must filter events using the lowest severity level of any of the events to log. This configuration can result in unwieldy log files that are difficult and time-consuming to parse.
For example, Junos OS logs the protocol UP and DOWN events with different severity
levels. Both the SNMP_TRAP_LINK_DOWN and SNMP_TRAP_LINK_UP events have a facility of
daemon. However, the SNMP_TRAP_LINK_DOWN event has a severity
level of warning, and the SNMP_TRAP_LINK_UP event has a severity
level of info. Normally, when you configure a system log file, you
must filter events to that file using the lower severity level of
info in order to log both of the events. However, you can
configure event policies to override an event's priority. Thus, the system can
record those events in log files that might filter for a different facility type and
a higher severity level.
Change an Event's System Log Priority in an Event Policy
You can configure an event policy to override the default system log priority of
a triggering event. The priority-override event policy action
enables you to modify the priority of the triggering event and log it using a
different facility type and severity level. Thus, you can still capture the
events in log files that filter for a different facility type or a higher
severity level.
For example, suppose you configure a system log file to filter events of facility
daemon and severity level notice, and you
have event policies that trigger on the RPD_ISIS_ADJDOWN and RPD_ISIS_ADJUP
events. When the system generates an RPD_ISIS_ADJDOWN message reporting that the
IS-IS adjacency with a neighboring router was terminated, the message is logged.
However, if the system subsequently generates an RPD_ISIS_ADJUP event
notification reporting that the IS-IS adjacency has been restored, by default,
the message is not logged because it has a lower severity level of
info. In the event policy that triggers on the
RPD_ISIS_ADJUP event, you can override the severity level of the event to
notice so that the system logs the event in the configured
log file.
Junos OS executes event policies in the order in which they appear in the configuration. If multiple event policies override the priority of the same event, the system uses the priority set by the last executed event policy to change it. Junos OS Evolved, however, does not necessarily execute policies in the configured order.
To override the priority of a trigger event in an event policy:
[edit event-options policy policy-name]
user@host# show
events event1;
then {
priority-override {
facility facility-type;
severity severity-level;
}
}
Example: Configure the Event System Log Priority in an Event Policy
It is necessary to log events when monitoring, managing, and troubleshooting routing, switching, and security devices. You can configure an event policy to override the priority of its triggering event so that it is logged based on a different facility type and severity level. This enables you to log the event even if the system filters events to the destination log file using a different facility type or a higher severity level.
This example simulates an SNMP_TRAP_LINK_UP event for a specific interface. Upon receipt of the event, the event policy overrides the severity level of the event so that it is captured in the configured log file.
Requirements
-
Device running Junos OS or device running Junos OS Evolved.
-
Interface is configured and active. This example uses the ge-0/3/1.0 interface.
Overview
This example configures two log files to capture events of facility 'daemon'. One log file is configured to filter for events of severity 'warning' or higher, and the second log file is configured to filter for events of severity 'info' or higher.
The configured event policy triggers on the SNMP_TRAP_LINK_UP event for interface ge-0/3/1.0. The example generates an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event for the ge-0/3/1.0 interface. The SNMP_TRAP_LINK_DOWN event, which has a severity level of 'warning', is captured in both configured log files. Upon receipt of the SNMP_TRAP_LINK_UP event, the event policy overrides the severity level of the event to 'warning' so that it is also captured in the log file that filters for events of severity 'warning'. By default, if the event policy does not override the severity level of this event, the system only captures the event in the log file that filters for severity level 'info'.
Configuration
- CLI Quick Configuration
- Configure the Log Files
- Verify the Default System Log Priority of the Events
- Configure the Event Policy
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them in
a text file, remove any line breaks, change any details necessary to match
your network configuration, and then copy and paste the commands into the
CLI at the [edit] hierarchy level:
set system syslog file syslog-event-daemon-info daemon info set system syslog file syslog-event-daemon-warning daemon warning set event-options policy log-on-snmp-trap-link-up events snmp_trap_link_up set event-options policy log-on-snmp-trap-link-up attributes-match snmp_trap_link_up.interface-name matches ge-0/3/1.0 set event-options policy log-on-snmp-trap-link-up then priority-override severity warning
Configure the Log Files
Step-by-Step Procedure
Configure two log files at the
[edit system syslog]hierarchy level to record events of facilitydaemon.Configure one log to record events of severity 'info' or higher and one log file to record events of severity 'warning' or higher.
[edit system syslog] bsmith@R1# set file syslog-event-daemon-info daemon info bsmith@R1# set file syslog-event-daemon-warning daemon warning
Commit the configuration.
bsmith@R1# commit
To manually test the logging of the events, take the ge-0/3/1.0 logical interface temporarily offline, and then bring it back up.
This generates an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event.
[edit] bsmith@R1# set interfaces ge-0/3/1 unit 0 disable bsmith@R1# commit bsmith@R1# delete interfaces ge-0/3/1 unit 0 disable bsmith@R1# commit
Results
[edit]
system {
syslog {
file syslog-event-daemon-info {
daemon info;
}
file syslog-event-daemon-warning {
daemon warning;
}
}
}
Verify the Default System Log Priority of the Events
Purpose
Verify that the system generated the SNMP_TRAP_LINK_DOWN and SNMP_TRAP_LINK_UP events for the ge-0/3/1.0 interface, and note where each event is logged.
Action
Review the contents of the syslog-event-daemon-info file configured in Step 1 of the previous procedure. The output shows that the device generated an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event for the ge-0/3/1.0 interface.
bsmith@R1> show log syslog-event-daemon-info Oct 24 13:22:17 R1 mib2d[1394]: SNMP_TRAP_LINK_DOWN: ifIndex 539, ifAdminStatus down(2), ifOperStatus down(2), ifName ge-0/3/1.0 ... Oct 24 13:22:29 R1 mib2d[1394]: SNMP_TRAP_LINK_UP: ifIndex 539, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/3/1.0
Review the contents of the syslog-event-daemon-warning file configured in Step 1 of the previous procedure. Because the severity level of the SNMP_TRAP_LINK_UP event is 'info', the system does not log the event in the log file that records events of severity level 'warning' or higher. By default, this system log file captures the SNMP_TRAP_LINK_DOWN events, but does not capture the SNMP_TRAP_LINK_UP events.
bsmith@R1> show log syslog-event-daemon-warning Oct 24 13:22:17 R1 mib2d[1394]: SNMP_TRAP_LINK_DOWN: ifIndex 539, ifAdminStatus down(2), ifOperStatus down(2), ifName ge-0/3/1.0
Meaning
The SNMP_TRAP_LINK_UP event has a default severity level of 'info'. Therefore, the system does not forward the event to log files that filter for events with a higher severity level.
Configure the Event Policy
Step-by-Step Procedure
Create and name the event-policy.
[edit] bsmith@R1# edit event-options policy log-on-snmp-trap-link-up
Configure the
eventsstatement.For this example, the event policy triggers on the SNMP_TRAP_LINK_UP event. Set the
attributes-matchstatement so that the policy triggers only if the SNMP_TRAP_LINK_UP event occurs for the ge-0/3/1.0 interface.[edit event-options policy log-on-snmp-trap-link-up] bsmith@R1# set events snmp_trap_link_up bsmith@R1# set attributes-match snmp_trap_link_up.interface-name matches ge-0/3/1.0
Configure the
priority-overrideevent policy action, and include theseveritystatement with a value ofwarning.[edit event-options policy log-on-snmp-trap-link-up] bsmith@R1# set then priority-override severity warning
Commit the configuration.
bsmith@R1# commit
To manually test the event policy, take the ge-0/3/1.0 logical interface temporarily offline, and then bring it back up. This generates an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event.
[edit] bsmith@R1# set interfaces ge-0/3/1 unit 0 disable bsmith@R1# commit bsmith@R1# delete interfaces ge-0/3/1 unit 0 disable bsmith@R1# commit
Results
[edit]
event-options {
policy log-on-snmp-trap-link-up {
events snmp_trap_link_up;
attributes-match {
snmp_trap_link_up.interface-name matches ge-0/3/1.0;
}
then {
priority-override {
severity warning;
}
}
}
}
Verification
Confirm that the configuration is working properly.
Verifying the Configured System Log Priority of the Events
Purpose
Verify that the system generated the SNMP_TRAP_LINK_DOWN and SNMP_TRAP_LINK_UP events for the ge-0/3/1.0 interface, and note where each event is logged.
Action
Review the contents of the syslog-event-daemon-warning file. The event policy overrides the severity level of the SNMP_TRAP_LINK_UP event. As a result, the system logs the event in the log file that records events of severity level 'warning' or higher. By default, this system log file captures the SNMP_TRAP_LINK_DOWN events, but does not capture the SNMP_TRAP_LINK_UP events.
bsmith@R1> show log syslog-event-daemon-warning Oct 24 13:29:48 R1 mib2d[1394]: SNMP_TRAP_LINK_DOWN: ifIndex 539, ifAdminStatus down(2), ifOperStatus down(2), ifName ge-0/3/1.0 Oct 24 13:30:02 R1 mib2d[1394]: SNMP_TRAP_LINK_UP: ifIndex 539, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/3/1.0
Meaning
Although the SNMP_TRAP_LINK_UP event has a severity level of 'info',
configuring the priority-override statement with a
severity level of 'warning' causes the system to record the event in the
log configured for a severity level of 'warning'. Thus, the system can
record events in log files that filter for a different facility type and
a higher severity level.