Configure an event-policy to execute operational commands

I was working recently on a situation where I had to issue some commands once a specific string was seen in the logs.

Juniper is supporting the configuration of an event-policy that can execute operation commands, save that output locally or remotely.

Additionally, you can upload specific file to a remote destination, raise a SNMP trap.

This is just a example on how you can execute a command when a specific string is written in the /var/log/messages file.

When a user is synchronizing the time on a Juniper device using the command ‘set date ntp’, this string is written in the logs:

Listening on interface ggsn_vpn, 128.0.0.1#123

This is the event-policy:

{master:0}[edit]
root@EX_SWITCH# show event-options 
policy POLICY_TEST {
    events SYSTEM;
    attributes-match {
        SYSTEM.message matches ggsn_vpn;
    }
    then {
        upload filename /var/log/messages destination REMOTE_SERVER;
        execute-commands {
            commands {
                "show log messages | match set | match ntp | match date";
            }
            output-filename INITIATED_BY_USER;
            destination LOCAL_LOCATION;
            output-format text;
        }
    }
}
destinations {
    REMOTE_SERVER {
        archive-sites {
            "ftp://lab:lab123@172.30.144.28/UPLOAD";
        }
    }
    LOCAL_LOCATION {                    
        archive-sites {
            /var/tmp;
        }
    }
}

{master:0}[edit]
root@EX_SWITCH#

Now, using the display set of the event-policy configuration to understand what was configured:

set event-options policy POLICY_TEST events SYSTEM
set event-options policy POLICY_TEST attributes-match SYSTEM.message matches ggsn_vpn

– “ggsn_vpn” is used a match string in /var/log/messages

set event-options policy POLICY_TEST then upload filename /var/log/messages destination REMOTE_SERVER

– if there is a match, the /var/log/messages will be uploaded to a remote destination which will be defined later. The file will have the date and time appended to its filename

set event-options policy POLICY_TEST then execute-commands commands "show log messages | match set | match ntp | match date"

– if there is a match, then the command “show log messages | match set | match ntp | match date” will be issued to match the command “set date ntp”

set event-options policy POLICY_TEST then execute-commands output-filename INITIATED_BY_USER

– the output of the command issued after match will be saved to a file whose filename will have the date and time appended

set event-options policy POLICY_TEST then execute-commands destination LOCAL_LOCATION

– the file will be saved on a specific destination

set event-options policy POLICY_TEST then execute-commands output-format text

– the file will be saved in text format. You can save the output in XML format as well.

set event-options destinations REMOTE_SERVER archive-sites "ftp://lab:lab123@172.30.144.28/UPLOAD"

– this is the remote destination where the file will be uploaded

set event-options destinations LOCAL_LOCATION archive-sites /var/tmp

– this is the location where the file containing the output of the operational commands will be saved. You can specify either a local destination(on the EX itself) or a remote destination

This is the verification.

Once the user synchronized the date, the command was executed and the output was saved in /var/tmp. We can see that root user issued the command ‘set date ntp’:

{master:0}[edit]
root@EX_SWITCH# run file show /var/tmp/EX_SWITCH_INITIATED_BY_USER_20140311_151747    

root@EX_SWITCH> show log messages | match set | match ntp | match date

Feb 11 15:17:46.019 2014  EX_SWITCH mgd[24489]: UI_CMDLINE_READ_LINE: User 'root', command 'run set date ntp '
Feb 11 15:17:46.894 2014  EX_SWITCH ntpdate: NTPDATE_TIME_CHANGED: step time offset -0.000119 sec
Feb 11 15:17:47.545 2014  EX_SWITCH mgd[30929]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | match set | match ntp | match date '

{master:0}[edit]
root@EX_SWITCH#

Also, as you can see, we can see as well the operational command that was triggered when the string was matched in the logs.

Also, we can check on the FTP server that the /var/log/messages file was uploaded:

lab@evora:~/pubftp/UPLOAD$ ls -l
total 4
-rw-r--r-- 1 ftpuser ftpgroup 1584 Feb 11 13:59 EX_SWITCH_messages_20140311_151746
lab@evora:~/pubftp/UPLOAD$

This is just a proof of concept example.

You can use the event-policy accordingly to your needs so that you execute the commands you need based on events that are meaningful for you.

The following two tabs change content below.

Paris ARAU

Paris ARAU is a networking professional with strong background on routing and switching technologies. He is a holder of CCIE R&S and dual JNCIE(SP and ENT). The day to day work allows him to dive deeply in networking technologies. Part of the continuously training, he is focusing on Software Defined Network and cloud computing.

Comments

So empty here ... leave a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

Sidebar



%d bloggers like this: