Matching Parameters

Rather than using a text match, EMS allows you to filter more efficiently based on the parameter values of the message.

In addition to event components and conditions and severity levels, each filter item can also use parameter values to further limit which messages are passed or blocked. The process of creating, configuring, and using filters has already been described in Filtering By Components and Conditions, so this section describes matching parameters with a filter item.

To configure a parameter match filter item, use the following command:

configure log filter name [add | delete] {exclude} events [event-condition | [all | event-component] {severity severity {only}}] [match | strict-match] type value

Each event in ExtremeXOS is defined with a message format and zero or more parameter types.

The show log events all command can be used to display event definitions (the event text and parameter types). Only those parameter types that are applicable given the events and severity specified are exposed on the CLI. The syntax for the parameter types (represented by type in the command syntax above) is:

[address-family [ipv4-multicast | ipv4-unicast | ipv6-multicast | ipv6-unicast] | bgp-neighbor ip address | bgp-routerid ip address | eaps eaps domain name | {destination | source} [ipaddress ip address | L4-port L4-port| mac-address mac-address] | esrp esrp domain name | {egress | ingress} [slot slot number | ports portlist] | ipaddress ip address | L4-port L4-port | mac-address mac_address | netmask netmask | number number | port portlist | process process name | slot slotid | string exact string to be matched | vlan vlan name | vlan tag vlan tag]

You can specify the ipaddress type as IPv4 or IPv6, depending on the IP version.

The following examples show how to configure IPv4 addresses and IPv6 addresses:

IPv4 address

To configure an IP address, with a mask of 32 assumed, use the following command:
```
configure log filter myFilter add events all match ipaddress 12.0.0.1
```
To configure a range of IP addresses with a mask of 8, use the following command:
```
configure log filter myFilter add events all match ipaddress 12.0.0.0/8
```

IPv6 address

To configure an IPv6 address, with a mask of 128 assumed, use the following command:
```
configure log filter myFilter add events all match ipaddress 3ffe::1
```
To configure a range of IPv6 addresses with a mask of 16, use the following command:
```
configure log filter myFilter add events all match ipaddress 3ffe::/16
```

IPv6 scoped address

IPv6 scoped addresses consist of an IPv6 address and a VLAN. The following examples identify a link local IPv6 address.

To configure a scoped IPv6 address, with a mask of 128 assumed, use the following command:

configure log filter myFilter add events all match ipaddress fe80::1%Default

To configure a range of scoped IPv6 addresses with a mask of 16, use the following command:

configure log filter myFilter add events all match ipaddress fe80::/16%Default

To configure a scoped IPv6 address with any VLAN, use the following command:

configure log filter myFilter add events all match ipaddress fe80::/16%*

To configure any scoped IPv6 address with a specific VLAN, use the following command:

configure log filter myFilter add events all match ipaddress fe80::/0%Default

Note

In the previous example, if you specify the VLAN name, it must be a full match; wild cards are not allowed.

The value depends on the parameter type specified.

As an example, an event may contain a physical port number, a source MAC address, and a destination MAC address. To allow only those RADIUS incidents, of severity notice and above, with a specific source MAC address, use the following command:

configure log filter myFilter add events aaa.radius.requestInit severity notice match source mac-address 00:01:30:23:C1:00

The string type is used to match a specific string value of an event parameter, such as a user name. The exact string is matched with the given parameter and no regular expression is supported.

Match Versus Strict-Match

The match and strict-match keywords control the filter behavior for those incidents with event definition that does not contain all the parameters specified in a configure log filter events match command.

This is best explained with an example. Suppose an event in the XYZ component, named XYZ.event5, contains a physical port number, a source MAC address, but no destination MAC address. If you configure a filter to match a source MAC address and a destination MAC address, XYZ.event5 will match the filter when the source MAC address matches regardless of the destination MAC address because the event contains no destination MAC address. If you specify the strict-match keyword, then the filter will never match event XYZ.event5 because this event does not contain the destination MAC address.

In other words, if the match keyword is specified, an incident will pass a filter so long as all parameter values in the incident match those in the match criteria, but all parameter types in the match criteria need not be present in the event definition.