Script to capture ID of existing events. This applies to SLAX version 1.0 and higher.
Syslog messages that do not have an assigned event are logged using one of six generic event IDs: SYSTEM, KERNEL, PFE, PIC, LCC, and SCC. This event ID must be known if you wish to create an event policy that triggers on the syslog message; however, the pseudo-event ID is unfortunately not recorded in the syslog, so it can be difficult to determine what the correct ID is.
To help with this problem, I created the attached event script: capture-pseudo-events.slax. The idea is simple: the script is triggered by all six pseudo-event IDs, and it records the event ID along with the message to the file /var/tmp/pseudo-event-output.
This is not a perfect solution because it requires that the event be generated while the event script is enabled, but it could be useful in scenarios where the event is reproducible.
Within the pseudo-event-output file, the log generation time is enclosed in [ ], the pseudo-event ID is enclosed in < >, and the message is enclosed in " " (any newlines are stripped). Once the event has been generated, you can scan the output file until you find the message of interest and then you'll see the pseud- event ID that it is logged with.
1 jnpr@srx210> file show /var/tmp/pseudo-event-output
2 [2011-11-23 03:39:08 UTC] <SYSTEM> "STP handler: index=7, op=get-next, state=0, tc-generation=0"
3 [2011-11-23 03:39:08 UTC] <SYSTEM> "STP Add"
4 [2011-11-23 03:39:08 UTC] <SYSTEM> "STP handler: index=8, op=get-next, state=0, tc-generation=0"
5 [2011-11-23 03:54:40 UTC] <KERNEL> "pfe_listener_disconnect: conn dropped: listener idx=0, tnpaddr=0x1, reason: reconnect timeout"
6 [2011-11-23 03:54:40 UTC] <KERNEL> "pfe_peer_update_mgmt_state: type 10, index 0, vks 0, old state Valid new state Closed mastership 1"
7 [2011-11-23 03:54:40 UTC] <KERNEL> "pfe_peer_clear_timeout: clearing timo 0x80576e84"
8 [2011-11-23 04:02:26 UTC] <PFE> "srx210 Registered network packet handlers"
9 [2011-11-23 04:02:26 UTC] <PFE> "srx210 if_notify_init: IF notify list already initialized"
Note: Minimum Version is Junos OS Release 11.1. This is not a long-term script. The script repeatedly appends information to the same file, which will continue to grow and grow.
Original from Curtis Call blog post Nov. 22, 2011. Released to TechWiki with permission.