Navigation
Supported Platforms
Example: Correlating Events Based on Receipt of Other Events Within a Specified Time Interval
In the following policy, a set of commands is issued and the output is logged and saved to a given location. The policy is executed if event3, event4, or event5 occurs within 60 seconds after event1 or event2 occurs. The pseudocode for the policy is as follows:
if this event is (event3 or event4 or event5)
and
(event1 or event2 has been received within the last 60 seconds)
then {
run a set of commands;
log the output of these commands to a location;
}
Specify two archive sites in the configuration. The device attempts to transfer to the first archive site in the list, moving to the next site only if the transfer fails.
[edit event-options]
policy 1 {events [ event3 event4 event5 ];within 60 events [ event1 event2 ];then {execute-commands {commands {"command";}output-filename my_cmd_out;destination policy-1-command-dest;}}}
destinations {policy-1-command-dest {archive-sites {scp://robot@my.big.com/a/b;scp://robot@my.little.com/a/b;}}}
