reclassifying a syslog message

stine · ‎05-05-2008

Is there a way to change the level for SNMP_TRAP_LINK_UP from INFO to WARNING ?

If not, I'll have to figure out how to send WARNING or higher + SNMP_TRAP_LINK_UP messages.

Also, is there a better document for syslog message interpretation than "System Log Messages Reference / Release 10.0"? This works fine if you have a syslog message that you need to understand and decode, but I need to build alarm rules in a 3rd party application (LogRhythm), and it would be very helpful to have have something like this:

SNMP_TRAP_LINK_UP: ifIndex 628, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.50

in which shows the message format

Theodore E Van Iderstine
Datalink Associates Corp.
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL

ccall · ‎06-18-2008

You can't change the severity of the original message, but you can relog messages at a desired severity level by using an event script. For an example of how to do this see the change-syslog-severity.slax script on pages 74-75 of the Applying Junos Event Automation Day One Guide:

http://www.juniper.net/us/en/local/pdf/day-one-guides/7100110-en.pdf

stine · ‎05-05-2008

Thank you, that is EXACTLY what (and why) I was looking for.

One note, on page 75 in the stanza:

/* If they have a PID then include it */
if( string-length( $pid ) > 0 ) {
expr [" _ $pid _ "]";
}

there is a missing double-quote before the '[' character.

It should read:

/* If they have a PID then include it */
if( string-length( $pid ) > 0 ) {
expr "[" _ $pid _ "]";
}

Theodore E Van Iderstine
Datalink Associates Corp.
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL

ccall · ‎06-18-2008

Thanks for pointing out the missing quote character. I'll add it to the list of errata.

reclassifying a syslog message

Re: reclassifying a syslog message

Re: reclassifying a syslog message

Re: reclassifying a syslog message