Managing external event filters
External event filters specify which events (for example, syslog) are processed by the BMC Network Automation system. When BMC Network Automation processes an external event, the event is logged and sent to the Policy Manager. Events not matching the enabled filters are discarded.
The following table contains tasks for managing the external event filters by using BMC Network Automation, and provides links to the applicable topics:
|Administering task||For more information||Benefit|
|To add or edit an external event filter||Adding or editing an external event filter||Add or edit an external event filter.|
|To perform actions on an external event filter||Viewing the external event filters listing|
Use the filters list to perform the following actions on an external event filter:
BMC Network Automation is delivered with a set of filters that can be customized for your environment. The following filters are delivered enabled:
- Log All Configuration Changes: Filters for syslog change events that trigger the Auto Archive policy.
- Log Severity 0/1 as Critical Event: Filters for all syslog emergency (0) and alert (1) events. These events can be used to trigger a policy that is performing event-to-change correlation (for example, Multiple high severity events received and configuration change has occurred in past 48 hours).
BMC highly recommends disabling low severity syslog filters for optimum performance.
To help you get started, some filters for identifying specific Cisco events (for example, Link Down) are provided. These filters are disabled by default.
The Log All Configuration Changes filter is used to detect and categorize when a potential configuration file or firewall policy has changed. BMC Software strongly recommend that this filter remains enabled (the default state) to trigger the Auto Archive policy.
These filters have been designed for all supported devices. The Auto Archive policy automatically performs a configuration snapshot action when a potential configuration change has occurred. This enables the configuration repository to remain up-to-date without operator intervention.
The Log Severity filters are used to map external event severities to the system severities. In addition, a filter can be disabled to ignore lower severity events.
If an event matches multiple filters, it is processed once for each match. Therefore, an event is logged and forwarded to the Policy Manager for each match.