Filtering By Components and Conditions

You may want to send the messages that come from a specific component that makes up ExtremeXOS or to send the message generated by a specific condition. For example, you might want to send only those messages that come from the STP component, or send the message that occurs when the IP.Forwarding.SlowPathDrop condition occurs. Or you may want to exclude messages from a particular component or event. To do this, you construct a filter that passes only the items of interest, and you associate that filter with a target.

  1. The first step is to create the filter using the create log filter command.

    You can create a filter from scratch, or copy another filter to use as a starting point. (It may be easiest to copy an existing filter and modify it.)

  2. To create a filter, use the following command:
    create log filter name {copy filter_name}

    If you create a filter from scratch, that filter initially blocks all events until you add events (either the events from a component or a specific event condition) to pass. You might create a filter from scratch if you want to pass a small set of events and to block most events. If you want to exclude a small set of events, use the default filter that passes events at or above the default severity threshold (unless the filter has been modified), named DefaultFilter, that you can copy to use as a starting point for your filter.

  3. After you create your filter, you configure filter items that include or exclude events from the filter.

    Included events are passed; excluded events are blocked.

  4. To configure your filter, use the following command:
    configure log filter name [add | delete] {exclude} events [event-condition | [all | event-component] {severity severity {only}}]

    For example, if you create the filter myFilter from scratch, use the following command to include events:

    configure log filter myFilter add events stp

    All STP component events of at least the default threshold severity passes myFilter (for the STP component, the default severity threshold is error). You can further modify this filter by specifying additional conditions.

    For example, assume that myFilter is configured as before, and assume that you want to exclude the STP.CreatPortMsgFail event.

  5. To add that condition, use the following command:
    configure log filter myFilter add exclude events stp.creatportmsgfail
  6. You can also add events and subcomponents to the filter.

    For example, assume that myFilter is configured as before, and you want to include the STP.InBPDU subcomponent. To add that condition, use the following command:

    configure log filter myFilter add events stp.inbpdu
  7. You can continue to modify this filter by adding more filter items.

    The filters process events by comparing the event with the most recently configured filter item first. If the event matches this filter item, the incident is either included or excluded, depending on whether the exclude keyword was used. If necessary, subsequent filter items on the list are compared. If the list of filter items is exhausted with no match, the event is excluded and is blocked by the filter.

  8. To view the configuration of a filter, use the following command:
    show log configuration filter {filter_name}

    The following is sample output from this command (for the earlier filter):

    Log Filter Name: myFilter
    I/                                             Severity
    E  Comp.   Sub-comp.   Condition               CEWNISVD
    -  ------- ----------- ----------------------- --------
    I  STP     InBPDU                              --------
    E  STP                 CreatPortMsgFail        -E------
    I  STP                                         --------
    Include/Exclude: I - Include,  E - Exclude
    Component Unreg: * - Component/Subcomponent is not currently registered
    Severity Values: C - Critical,  E - Error,  W - Warning,  N - Notice,  I - Info
    Debug Severity : S - Debug-Summary,  V - Debug-Verbose,  D - Debug-Data
    + - Debug Severities, but log debug-mode not enabled
    If Match parameters present:
    Parameter Flags: S - Source,  D - Destination, (as applicable)
    I - Ingress,  E - Egress,  B - BGP
    Parameter Types: Port - Physical Port list,  Slot - Physical Slot #
    MAC  - MAC address,  IP - IP Address/netmask,  Mask - Netmask
    VID  - Virtual LAN ID (tag),  VLAN - Virtual LAN name
    L4   - Layer-4 Port #,  Num  - Number,  Str  - String
    Nbr  - Neighbor, Rtr  - Routerid, EAPS - EAPS Domain
    Proc - Process Name
    Strict Match   : Y - every match parameter entered must be present in the event
    N - match parameters need not be present in the event
    

    The show log configuration filter command shows each filter item, in the order that it will be applied and whether it will be included or excluded. The above output shows the three filter items, one including events from the STP.InBPDU component, one excluding the event STP.CreatPortMsgFail, and the next including the remaining events from the STP component. The severity value is shown as “*”, indicating that the component‘s default severity threshold controls which messages are passed. The Parameter(s) heading is empty for this filter because no match is configured for this filter. Matches are described in Matching Expressions.

Each time a filter item is added to or deleted from a given filter, the specified events are compared against the current configuration of the filter to try to logically simplify the configuration. Existing items will be replaced by logically simpler items if the new item enables rewriting the filter. If the new item is already included or excluded from the currently configured filter, the new item is not added to the filter.