Forum Discussion

PattyN's avatar
PattyN
Contributor II
25 days ago

Suppress a syslog event on a specific interface

How might one go about suppressing a syslog event for a specific interface, but still receive all other events for that device and interface? For example, you have a syslog event message like:  52...
event_management
  • BryanHarding's avatar
    BryanHarding
    22 days ago

    'As you cannot suppress events via sub-entity (what you're extracting with Identifier Pattern, in this case "TenGigE0/1/1/7") I would suggest that you have two Event Policies; one with a lower Detection Weight that includes "TenGigE0/1/1/7" within one of the required matches and is marked for suppression against the particular device  and a second Event Policy with higher Detection Weight to match the remainder.

    Ex. 

    (PKT_INFRA-LINK-[35]+-[^\s])+(?=.*TenGigE0\/1\/1\/7)

    In theory you could also choose to invert the approach by having an event policy that only matches if it doesn't contain certain text with a second event policy that catches all and suppresses against specific device(s), but depending on how many policies and devices you're managing that could change which approach makes more sense.

BryanHarding's avatar
BryanHarding
Icon for Moderator rankModerator
22 days ago

'As you cannot suppress events via sub-entity (what you're extracting with Identifier Pattern, in this case "TenGigE0/1/1/7") I would suggest that you have two Event Policies; one with a lower Detection Weight that includes "TenGigE0/1/1/7" within one of the required matches and is marked for suppression against the particular device  and a second Event Policy with higher Detection Weight to match the remainder.

Ex. 

(PKT_INFRA-LINK-[35]+-[^\s])+(?=.*TenGigE0\/1\/1\/7)

In theory you could also choose to invert the approach by having an event policy that only matches if it doesn't contain certain text with a second event policy that catches all and suppresses against specific device(s), but depending on how many policies and devices you're managing that could change which approach makes more sense.