Adding or editing an external event filter

This topic provides instructions on adding, editing, and viewing the external filters.

To understand the concept of external filters, see Managing-external-event-filters.

On the Admin > Network Admin > External Events page, do the following:

  1. Do one of the following:
    • To define a new external event filter, click Add .
    • To view or change an existing external event filter, select the external event filter and click Edit Icon_Edit.png.
       For example, the event filter in the figure below is used to trigger the Auto Archive policy when a potential configuration change has been made by an external user.

      EditExtEventFilter.png

  2. Enter or update the information in the following fields:

    Field

    Description

    Name

    Specify a unique name for the filter.

    Enabled

    (Optional) Uncheck to disable the filter.

    Filter

    (Optional) Specify one or more syslog text strings that, when matched, are categorized, logged and processed as the selected Event Type (for example, Configuration Changes) for the device.
    The string should be in the form of a regular expression, with .* at the beginning and end when needed to match arbitrary text at the edges. See Grammar-field-metacharacters for a summary of regular expression metacharacters.
    If the syslog message contains a username, enclose that part of the regular expression in parentheses (). The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. extracts the username out of the message so that it can track external changes back to the originating user.

    Example

    For example, an IOS syslog message that looks like this: %SYS-5-CONFIG_I: Configured from console by johndoe on vty0 (10.1.1.51) Would be matched by this regular expression, with extraction of the username: .SYS-5-CONFIG.by (\S+) on.*

    • Filters should be ordered with more-specific expressions first, so that The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. can make the best match. When you add new filters, they are added to the end of the list.
      For example, Cisco IOS can emit the configuration change message used in the preceding example with or without a user name. The expression that matches the version that includes the user name should be in the list ahead of the version that matches the message without a user name. Otherwise, The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. does not extract the user name, as it stops at the first match.
    • Failure to extract a username from a syslog message does not harm the The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. system in any way. Not all syslog messages include a username. The Auto Archive and other policies trigger regardless of whether or not usernames are successfully captured. The captured username is displayed as the originator when configuration information is displayed (such as in the Change Summary report).

    After specifying a syslog text string, click Add to list.

    Event Type

    Select an event type for this filter. The event type is used by the policy keywords and defines how the event is logged in the event Log.

    Incoming Severity

    Select the syslog severity of the event for filter matching.

  3. Click Save.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*