ON THIS PAGE
Example: Configuring the Event System Log Priority in an Event Policy
It is necessary to log events when monitoring, managing, and troubleshooting routing, switching, and security devices. You can configure an event policy to override the priority of its triggering event so that it is logged based on a different facility type and severity level. This enables the event to be logged even if the system filters events to the destination log file using a different facility type or a higher severity level.
This example simulates an SNMP_TRAP_LINK_UP event for a specific interface. Upon receipt of the event, the event policy overrides the severity level of the event so that it is captured in the configured log file.
Requirements
Routing, switching, or security device running Junos OS Release 12.1 or later.
Interface is configured and active. This example uses the ge-0/3/1.0 interface.
Overview
This example configures two log files to capture events of facility 'daemon'. One log file is configured to filter for events of severity 'warning' or higher, and the second log file is configured to filter for events of severity 'info' or higher.
The configured event policy triggers on the SNMP_TRAP_LINK_UP event for interface ge-0/3/1.0. The example generates an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event for the ge-0/3/1.0 interface. The SNMP_TRAP_LINK_DOWN event, which has a severity level of 'warning' is captured in both configured log files. Upon receipt of the SNMP_TRAP_LINK_UP event, the event policy overrides the severity level of the event to 'warning' so that it is also captured in the log file that filters for events of severity 'warning'. By default, if the event policy does not override the severity level of this event, it is only captured in the log file that filters for the severity level 'info'.
Configuration
- CLI Quick Configuration
- Configuring the Log Files
- Verifying the Default System Log Priority of the Events
- Configuring the Event Policy
CLI Quick Configuration
To quickly configure this example, copy the following
commands, paste them in a text file, remove any line breaks, change
any details necessary to match your network configuration, and then
copy and paste the commands into the CLI at the [edit] hierarchy
level:
set system syslog file syslog-event-daemon-info daemon info set system syslog file syslog-event-daemon-warning daemon warning set event-options policy log-on-snmp-trap-link-up events snmp_trap_link_up set event-options policy log-on-snmp-trap-link-up attributes-match snmp_trap_link_up.interface-name matches ge-0/3/1.0 set event-options policy log-on-snmp-trap-link-up then priority-override severity warning
Configuring the Log Files
Step-by-Step Procedure
Configure two log files at the
[edit system syslog]hierarchy level to record events of facilitydaemon.Configure one log to record events of severity 'info' or higher and one log file to record events of severity 'warning' or higher.
[edit system syslog] bsmith@R1# set file syslog-event-daemon-info daemon info bsmith@R1# set file syslog-event-daemon-warning daemon warning
Commit the configuration.
bsmith@R1# commit
To manually test the logging of the events, take the ge-0/3/1.0 logical interface temporarily offline, and then bring it back up.
This generates an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event.
[edit] bsmith@R1# set interfaces ge-0/3/1 unit 0 disable bsmith@R1# commit bsmith@R1# delete interfaces ge-0/3/1 unit 0 disable bsmith@R1# commit
Results
[edit]
system {
syslog {
file syslog-event-daemon-info {
daemon info;
}
file syslog-event-daemon-warning {
daemon warning;
}
}
}
Verifying the Default System Log Priority of the Events
Purpose
Verify that the system generated the SNMP_TRAP_LINK_DOWN and SNMP_TRAP_LINK_UP events for the ge-0/3/1.0 interface, and note where each event is logged.
Action
Review the contents of the syslog-event-daemon-info file configured in Step 1 of the previous procedure. The output shows that the ge-0/3/1.0 interface was brought down and back up and generated an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event.
bsmith@R1> show log syslog-event-daemon-info Oct 24 13:22:17 R1 mib2d[1394]: SNMP_TRAP_LINK_DOWN: ifIndex 539, ifAdminStatus down(2), ifOperStatus down(2), ifName ge-0/3/1.0 ... Oct 24 13:22:29 R1 mib2d[1394]: SNMP_TRAP_LINK_UP: ifIndex 539, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/3/1.0
Review the contents of the syslog-event-daemon-warning file configured in Step 1 of the previous procedure. Because the severity level of the SNMP_TRAP_LINK_UP event is 'info', it does not appear in a log file that is configured to only record events of severity 'warning' or higher. By default, this system log file captures the SNMP_TRAP_LINK_DOWN events, but does not capture the SNMP_TRAP_LINK_UP events.
bsmith@R1> show log syslog-event-daemon-warning Oct 24 13:22:17 R1 mib2d[1394]: SNMP_TRAP_LINK_DOWN: ifIndex 539, ifAdminStatus down(2), ifOperStatus down(2), ifName ge-0/3/1.0
Meaning
Because the SNMP_TRAP_LINK_UP event has a default severity of 'info', it is not forwarded to log files that are configured to capture events of higher severity.
Configuring the Event Policy
Step-by-Step Procedure
Create and name the event-policy.
[edit] bsmith@R1# edit event-options policy log-on-snmp-trap-link-up
Configure the
eventsstatement.For this example, the event policy triggers on the SNMP_TRAP_LINK_UP event. Set the
attributes-matchstatement so that the policy triggers only if the SNMP_TRAP_LINK_UP event occurs for the ge-0/3/1.0 interface.[edit event-options policy log-on-snmp-trap-link-up] bsmith@R1# set events snmp_trap_link_up bsmith@R1# set attributes-match snmp_trap_link_up.interface-name matches ge-0/3/1.0
Configure the
priority-overrideevent policy action, and include theseveritystatement with a value ofwarning.[edit event-options policy log-on-snmp-trap-link-up] bsmith@R1# set then priority-override severity warning
Commit the configuration.
bsmith@R1# commit
To manually test the event policy, take the ge-0/3/1.0 logical interface temporarily offline, and then bring it back up. This generates an SNMP_TRAP_LINK_DOWN event followed by an SNMP_TRAP_LINK_UP event.
[edit] bsmith@R1# set interfaces ge-0/3/1 unit 0 disable bsmith@R1# commit bsmith@R1# delete interfaces ge-0/3/1 unit 0 disable bsmith@R1# commit
Results
[edit]
event-options {
policy log-on-snmp-trap-link-up {
events snmp_trap_link_up;
attributes-match {
snmp_trap_link_up.interface-name matches ge-0/3/1.0;
}
then {
priority-override {
severity warning;
}
}
}
}
Verification
Confirm that the configuration is working properly.
Verifying the Configured System Log Priority of the Events
Purpose
Verify that the system generated the SNMP_TRAP_LINK_DOWN and SNMP_TRAP_LINK_UP events for the ge-0/3/1.0 interface, and note where each event is logged.
Action
Review the contents of the syslog-event-daemon-warning file. Because the event policy overrides the severity level of the SNMP_TRAP_LINK_UP event, it now appears in the log file that is configured to only record events of severity 'warning' or higher. By default, this system log file captures the SNMP_TRAP_LINK_DOWN events, but does not capture the SNMP_TRAP_LINK_UP events.
bsmith@R1> show log syslog-event-daemon-warning Oct 24 13:29:48 R1 mib2d[1394]: SNMP_TRAP_LINK_DOWN: ifIndex 539, ifAdminStatus down(2), ifOperStatus down(2), ifName ge-0/3/1.0 Oct 24 13:30:02 R1 mib2d[1394]: SNMP_TRAP_LINK_UP: ifIndex 539, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/3/1.0
Meaning
Although the SNMP_TRAP_LINK_UP event has a severity
of 'info', configuring the priority-override statement
with a severity of 'warning' causes the event to be forwarded to the
system logs with the configured severity level. The event can be captured
in logs that filter for a different facility type and a higher severity
level.