Junos OS

Expand all | Collapse all

Event-Options Attributes-Match Regular Expressions

Jump to Best Answer
  • 1.  Event-Options Attributes-Match Regular Expressions

    Posted 10-17-2017 07:55

    I have setup an Event-Option to raise SNMP Traps whenever the words "alarm set" or Core dumped" appears in logs, using the following configuration:

     

    event-options {
        policy alarms {
            events [ SYSTEM PIC KERNEL ];
            attributes-match {
                SYSTEM.message matches "(alarm set)|(Core dumped)";
                PIC.message matches "alarm set";
                KERNEL.message matches "alarm set";
            }
            then {
                raise-trap;
            }

    }

     

    But now I want to ignore log entries that have "alarm set" and "SFP receive power low".  I tried a few regular expressions, but none have passed the commit check.  Has anyone tried something similar to this?

     

    Thanks.



  • 2.  RE: Event-Options Attributes-Match Regular Expressions

     
    Posted 10-17-2017 08:12

    Hi,

     

    Below KB explains how to prevent certain logs under the syslog. Will it work for you?

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB9382&actp=METADATA

     

    Regards,

    Rahul



  • 3.  RE: Event-Options Attributes-Match Regular Expressions

    Posted 10-17-2017 08:33

    Thanks!

     

    Nice article, but it does not explain a filter to include 'alarm set' but not 'SFP' (match A and not B).



  • 4.  RE: Event-Options Attributes-Match Regular Expressions
    Best Answer

    Posted 10-18-2017 00:42

    Hello,

    You need to do it in 2 policies:

     

    event-options {
        policy alarms {
            events SYSTEM;
            attributes-match {
                SYSTEM.message matches "(alarm set)|(Core dumped)";
            }
            then {
                raise-trap;
            }
        }
        policy ignore {
            events SYSTEM;
            attributes-match {
                SYSTEM.message matches "(alarm set SFP)";
            }
            then {
                ignore;
            }
        }

    And when You enable event traceoptions, You should see following in the logs:

     

     

    Oct 18 09:37:05 Policy <ignore> says event <SYSTEM> should be ignored. Ignoring other policies for this event and not caching this event

    HTH

     

    Thx

    Alex

     



  • 5.  RE: Event-Options Attributes-Match Regular Expressions

    Posted 10-25-2017 06:57

    This solution worked with only a minor change.  The order that the policies are defined is important.  With "ignore" as the last policy defined, I still received a trap from policy "alarms" since "alarm set" stil matched.  With "ignore" defined as the first policy, it matched and no further policies were checked.

     

    Thanks!



  • 6.  RE: Event-Options Attributes-Match Regular Expressions

    Posted 10-25-2017 07:31

    Hello,

    Glad it worked for You.

    I used JUNOS 17.2R1 in my tests and event polices worked in that order I posted earlier so may be a JUNOS release-specific issue.

    Thank You

    Alex