Supported Platforms
Using Correlated Events to Trigger an Event Policy
You can configure a policy that correlates two or more events. If the correlated events occur as specified, they cause particular actions to be taken. For example, you might want to issue certain operational mode commands when a UI_CONFIGURATION_ERROR event is generated within five minutes (300 seconds) after a UI_COMMIT_PROGRESS event. As another example, you might want to upload a particular file if a DCD_INTERFACE_DOWN event is generated two times within a 60-second interval.
To configure a policy that correlates events, include the following statements at the [edit event-options] hierarchy level:
In the events statement, you can list multiple events. To view a list of the events that can be referenced in an event policy, issue the set event-options policy policy-name events ? configuration mode command:
user@host# set event-options policy policy-name events ?
Possible completions:
<event>
[ Open a set of values
acct_accounting_ferror
acct_accounting_fopen_error
...
Some of the system log messages that you can reference in an event policy are not listed in the output of the set event-options policy policy-name events ? command. For information about referencing these system log messages in your event policies, see Using Nonstandard System Log Messages to Trigger Event Policies.
In addition, you can reference internally generated events, which are discussed in Generating Internal Events to Trigger Event Policies.
The actions configured in the then statement are executed only if certain conditions are met, which you specify in the within and attributes-match statements.
You can configure a policy that is executed only if a specified event occurs within a specified time interval after another event. You do this by including the within seconds events statement. The policy is executed only if one or more of the events in the first events statement occur within a configured number of seconds after one or more of the events in the within seconds events statement. The number of seconds can be from 60 through 604,800. The not statement causes the policy to be executed only if the events do not occur within the configured time interval.
For example, the following policy is executed if event3, event4, or event5 occurs within 60 seconds after event1 or event2 occurs:
The attributes-match statement correlates two events as follows:
- event1.attribute-name equals event2.attribute-name—Execute the policy only if the specified attribute of event1 equals the specified attribute of event2.
- event.attribute-name matches regular-expression—Execute the policy only if the specified attribute of event matches a regular expression. For more information, see Using Regular Expressions to Refine the Set of Events That Trigger a Policy.
- event1.attribute-name starts-with event2.attribute-name—Execute the policy only if the specified attribute of event1 starts with the specified attribute of event2.
If the attributes-match statement includes the equals or starts-with options, or if it includes a matches option that includes a clause for an event that is not specified at the [edit event-options policy policy-name events] hierarchy level, you must include one or more within statements in the same policy configuration.
Starting with Junos OS Release 11.1, you can use event policy variables within the attributes-match statement to differentiate between a trigger event attribute and a correlated event attribute. The double dollar sign ($$) notation represents the event that is triggering a policy, and {$$.attribute-name} resolves to the value of the attribute of the triggering event. Triggering events are those that you configure at the [edit event-options policy policy-name events] hierarchy level. For correlating events, the single dollar sign with the event name ($event) notation represents the most recent event that matches the event name, and {$event.attribute-name} resolves to the value of the attribute of the correlated event.
In the following example, the policy will execute the actions under the then statement if four or more commits are performed within a 5-minute period, and the username of one or more of the correlated events is the same as the username of the trigger event.
policy multiple-commits {
events ui_commit;
attributes-match {
{$$.user-name} equals {$ui_commit.user-name};
}
within 300 {
trigger after 3;
events ui_commit;
}
then ...
}
To view a list of all event attributes that you can reference, issue the help syslog event operational mode command. The output of this command shows the event attributes in angle brackets (<>). The following output shows that three attributes can be referenced for the ACCT_ACCOUNTING_SMALL_FILE_SIZE event: filename, file-size, and record-size.
user@host> help syslog ACCT_ACCOUNTING_SMALL_FILE_SIZEName: ACCT_ACCOUNTING_SMALL_FILE_SIZE
Message: File <filename> size (<file-size>) is smaller than record size (<record-size>)
You can filter the output of a search by using the pipe (|) symbol. The following example lists the filters that can be used with the pipe symbol:
user@host> help syslog | ?Possible completions: count Count occurrences display Show additional kinds of information except Show only text that does not match a pattern find Search for first occurrence of pattern hold Hold text without exiting the --More-- prompt last Display end of output only match Show only text that matches a pattern no-more Don't paginate output request Make system-level requests resolve Resolve IP addresses save Save output text to file trim Trim specified number of columns from start of line
For more information about using the pipe symbol, see the CLI User Guide.
Another way to view the attributes you can reference is by issuing the set attributes-match event? command at the [edit event-options policy policy-name] hierarchy level, as shown in the following example:
[edit event-options policy p1]
user@host# set attributes-match acct_accounting_small_file_size?
Possible completions:
<from-event-attribute> First attribute to compare
acct_accounting_small_file_size.filename
acct_accounting_small_file_size.filesize
acct_accounting_small_file_size.record-size
 | Note: In this set command, there is no space between the event name and the question mark (?). |
