configure log filter events match

configure log filter name [add | delete] {exclude} events [event-condition | [all | event-component] {severity severity {only}}] [match | strict-match] type value

Description

Configures a log filter to add or delete detailed feature messages based on a specified set of events and match parameter values.

In a stack, this command is applicable only to Master and Backup nodes and not applicable to the standby nodes.

Syntax Description

name Specifies the filter to configure.
add Add the specified events to the filter.
delete Remove the specified events from the filter.
exclude Events matching the filter will be excluded.
event-condition Specifies the event condition.
all Specifies all events.
event-component Specifies all the events associated with a particular component.
severity Specifies the minimum severity level of events (if the keyword only is omitted).
only Specifies only events of the specified severity level.
match Specifies events whose parameter values match the type value pair.
strict-match Specifies events whose parameter values match the type value pair, and possess all the parameters specified.
type Specifies the type of parameter to match. For more information about types and values see Types and Values.
value Specifies the value of the parameter to match. For more information about types and values see Types and Values.

Default

If the exclude keyword is not used, the events will be included by the filter. If severity is not specified, then the filter will use the component default severity threshold (see the note on note: If no severity is specified when delete or exclude is specified, severity all is used when delete or exclude is specified).

Usage Guidelines

This command controls the incidents that pass a filter by adding or deleting a specified set of events that match a list of type value pairs. This command is an extension of the command configure log filter events , and adds the ability to filter incidents based on matching specified event parameter values to the event.

See the configure log filter events command configure log filter events for more information on specifying and using filters, on event conditions and components, and on the details of the filtering process. The discussion here is about the concepts of matching type value pairs to more narrowly define filters.

Types and Values

Each event in ExtremeXOS is defined with a message format and zero or more parameter types. The show log events command show log events can be used to display event definitions (the event text and parameter types). The syntax for the parameter types (represented by type in the command syntax above) is:

[address-family [ipv4-multicast | ipv4-unicast | ipv6-multicast | ipv6-unicast] | bgp-neighbor ip address | bgp-routeridip address | eaps eaps domain name | {destination | source} [ipaddress ip address | L4-port | mac-address ] | esrpesrp domain name | {egress | ingress} [slotslot number | portsport_list] | ipaddressip address | L4-portL4-port | mac-addressmac_address | netmask netmask | number number | portport_list | processprocess name | slot slotid | stringexact string to be matched | vlanvlan name | vlan tagvlan tag]
Note

Note

The slot parameters are available only on SummitStacks.
Beginning with ExtremeXOS 11.2, you can specify the ipaddress type as IPv4 or IPv6, depending on the IP version. The following examples show how to configure IPv4 addresses and IPv6 addresses:
  • IPv4 address.

    To configure an IP address, with a mask of 32 assumed, use the following command:

configure log filter myFilter add events all match ipaddress 12.0.0.1

To configure a range of IP addresses with a mask of 8, use the following command:

configure log filter myFilter add events all match ipaddress 12.0.0.0/8
  • IPv6 address.

    To configure an IPv6 address, with a mask of 128 assumed, use the following command:

    • configure log filter myFilter add events all match ipaddress 3ffe::1
    • To configure a range of IPv6 addresses with a mask of 16, use the following command:
    • configure log filter myFilter add events all match ipaddress 3ffe::/16
  • IPv6 scoped address.

    IPv6 scoped addresses consist of an IPv6 address and a VLAN. The following examples identify a link local IPv6 address.

    To configure a scoped IPv6 address, with a mask of 128 assumed, use the following command:

Note

Note

In the previous example, if you specify the VLAN (Virtual LAN) name, it must be a full match; wild cards are not allowed.

The value depends on the parameter type specified. As an example, an event may contain a physical port number, a source MAC address, and a destination MAC address. To allow only those incidents with a specific source MAC address, use the following in the command:

configure log filter myFilter add events aaa.radius.requestInit secerity notice match source mac-address 00:01:30:23:C1:00 configure log filter myFilter add events bridge severity notice match source mac-address 00:01:30:23:C1:00

The string type is used to match a specific string value of an event parameter, such as a user name. The exact string is matched with the given parameter and no regular expression is supported.

Match Versus Strict-Match

The match and strict-match keywords control the filter behavior for incidents whose event definition does not contain all the parameters specified in a configure log filter events match command. This is best explained with an example. Suppose an event in the XYZ component, named XYZ.event5, contains a physical port number, a source MAC address, but no destination MAC address. If you configure a filter to match a source MAC address and a destination MAC address, XYZ.event5 will match the filter when the source MAC address matches regardless of the destination MAC address, since the event contains no destination MAC address. If you specify the strict-match keyword, then the filter will never match, since XYZ.event5 does not contain the destination MAC address.

In other words, if the match keyword is specified, an incident will pass a filter so long as all parameter values in the incident match those in the match criteria, but all parameter types in the match criteria need not be present in the event definition.

More Information

See the command show log for more information about severity levels.

To get a listing of the components present in the system, use the following command:

show log components

To get a listing of event condition definitions, use the following command:

show log events

To see the current configuration of a filter, use the following command:

show log configuration filter {filter name}

Example

By default, all log targets are associated with the built-in filter, DefaultFilter. Therefore, the most straightforward way to send additional messages to a log target is to modify DefaultFilter. In the following example, the command modifies the built-in filter to allow incidents in the STP (Spanning Tree Protocol) component, and all subcomponents of STP, of severity critical, error, warning, notice and info. For any of these events containing a physical port number as a match parameter, limit the incidents to only those occurring on physical ports 3, 4 and 5 on slot 1, and all ports on slot 2:

configure log filter DefaultFilter add events stp severity info match ports 1:3-1:5, 2:*

If desired, issue the unconfigure log DefaultFilter command to restore the DefaultFilter back to its original configuration.

History

This command was first available in ExtremeXOS 10.1.

New parameter type values, including esrp and eaps were added in ExtremeXOS 11.0 and 11.1.

Support for IPv6 addresses was added in ExtremeXOS 11.2.

Platform Availability