Clay,
Not sure if this will help but I had to do essentially the same thing and Curtis helped me out a bunch! Anyway, my non-standard event was SSH login using the following syslog event:
Oct 25 19:31:37 CER-M7i sshd[7733]: Failed password for emergencylogin from 192.100.50.220 port 4735 ssh2
In this case, I needed the username (emergencylogin) and Curtis showed me how to do that (but that's in the script). This is what fires my script and is, I think, what you're asking about:
/* embed event policy - only configuration required on the router
is to include set event-options event-script file login-failure.slax.
Changing anything in the event-definition requires the operational-mode command
request system scripts event-scripts reload or commit full */
var $event-definition = {
<event-options> {
<policy> {
<name> "login-failure";
<events> "system";
<events> "login_failed";
<attributes-match> {
<from-event-attribute> "system.message";
<condition> "matches";
<to-event-attribute-value> " password for ";
}
<then> {
<event-script> {
<name> "login-failure.slax";
}
}
}
}
}
In this case, the non-standard events logged by sshd appear as "system" generated events. I then had to find some unique string that I could use to discriminate against; I used " password for ". Now I know there are LOGIN_INFORMATION and UI_LOGIN events but LOGIN_INFORMATION only covers console logins and UI_LOGIN events include whenever a user runs a script, executes a commit, etc. and I could not have those events messing with my script. Anyway, using that string worked and now every time there is a system event that contains " password for " in the message, login-failure.slax is fired.
I am not an expert but I would assume that once you determine how rpd logs events (system, kernel, etc.) you need to identify some unique string that only matches the event(s) you want and then perform whatever logic is required in the script.
Richard