Suppress a syslog event on a specific interface
How might one go about suppressing a syslog event for a specific interface, but still receive all other events for that device and interface?
For example, you have a syslog event message like:
5238379<187>267450: LC/0/1/CPU0:Aug 20 17:38:21.939 EDT: ifmgr[214]: %PKT_INFRA-LINK-3-UPDOWN : Interface TenGigE0/1/1/7, changed state to Down
Your existing event policy uses regex match logic as follows:
First Regular Expression:
PKT_INFRA-LINK-[35]+-[^\s]+
Second Regular Expression:
to.*(DOWN|Down|down)
Identifier Pattern:
Interface\s+([^ ,]+)
Identifier Format:
Interface: %1
Would you modify the event policy in some way? Is there other levers/knobs to in the system to tinker with that might get you the desired result?
'As you cannot suppress events via sub-entity (what you're extracting with Identifier Pattern, in this case "TenGigE0/1/1/7") I would suggest that you have two Event Policies; one with a lower Detection Weight that includes "TenGigE0/1/1/7" within one of the required matches and is marked for suppression against the particular device and a second Event Policy with higher Detection Weight to match the remainder.
Ex.
(PKT_INFRA-LINK-[35]+-[^\s])+(?=.*TenGigE0\/1\/1\/7)
In theory you could also choose to invert the approach by having an event policy that only matches if it doesn't contain certain text with a second event policy that catches all and suppresses against specific device(s), but depending on how many policies and devices you're managing that could change which approach makes more sense.