Supported Platforms
Example: Triggering a Policy Based on Event Count
This section discusses two examples.
 | Note: The RADIUS_LOGIN_FAIL, TELNET_LOGIN_FAIL, and SSH_LOGIN_FAIL events are not actual Junos OS events. They are illustrative for these examples. |
Example 1
Configure an event policy called login. The login policy is executed if five login failure events (RADIUS_LOGIN_FAIL, TELNET_LOGIN_FAIL, or SSH_LOGIN_FAIL) are generated within 120 seconds. Take action by executing
the login-fail.xsl event script,
which disables the user account.
Table 1 shows how events add to the count.
Table 1: Event Count Triggers Policy
Event Number | Event | Time | Count | Order |
|---|---|---|---|---|
1 | RADIUS_LOGIN_FAIL | 00:00:00 | 1 | [1] |
2 | TELNET_LOGIN_FAIL | 00:00:20 | 2 | [1 2] |
3 | RADIUS_LOGIN_FAIL | 00:02:05 | 2 | [2 3] |
4 | SSH_LOGIN_FAIL | 00:02:40 | 2 | [3 4] |
5 | TELNET_LOGIN_FAIL | 00:02:55 | 3 | [3 4 5] |
6 | TELNET_LOGIN_FAIL | 00:03:01 | 4 | [3 4 5 6] |
7 | RADIUS_LOGIN_FAIL | 00:03:55 | 5 | [3 4 5 6 7] |
The columns in Table 1 mean the following:
- Event number—Event sequence number.
- Event—Policy login events received by the event process (eventd).
- Time—Time (in hh:mm:ss format) when eventd receives the event.
- Count—The number of events received by eventd within the last 120 seconds.
- Order—Order of events as received by eventd within the last 120 seconds.
At time 00:03:55, the value of count is more than 4; therefore,
the login policy executes the login-fail.xsl script.
Example 2
Configure an event policy called login. The login policy is executed if five login failure events (RADIUS_LOGIN_FAIL, TELNET_LOGIN_FAIL, or SSH_LOGIN_FAIL) are generated within 120 seconds from username roger. Take action by executing the login-fail.xsl event script, which disables the roger user account.
