Keywords can be one of the following types:
- Event: Any event that is logged to the Event Log (for example from external syslog or user event).
- Change: TrueSight Network Automation detected a configuration file change or an OS image change.
- Discrepancy: Network Automation detected a configuration file or an OS image discrepancy (for example difference between the trusted production configuration and the current configuration).
Note
The Change Detected keyword is used to detect changes to the Running, Startup, and other configurations and to the operating system. To detect hardware changes, use the Hardware Change Detected keyword (Type=Event, Category=Device, Event=Hardware inventory has been updated.).
Click here to view the predefined keywords that are delivered with TrueSight Network Automation and, which assist in establishing policies.
| |
|---|
All Compliance Violations Cleared | All compliance violations on the current configurations have been cleared. |
All Discrepancies Cleared | All discrepancies between running versus startup, running versus trusted running, startup versus trusted startup, and OS image are cleared on the device. |
| A change has been detected in a configuration file. |
Compliance Violation Detected | A compliance violation on a device was detected. Compliance violation events are logged for rules in enabled and assigned compliance rule sets. |
| A potential configuration change has occurred on a device. |
| Detects high CPU usage reported on a device. |
| A denial of service event has been received from a device. |
Deploy to Active Request Failed | A user or policy-based Deploy to Active action for a device has failed. |
| A discrepancy has been detected between the device's trusted production configuration and the current configuration. |
| A duplicate IP address event has been received from a device. |
External Change Task Close Failure | The External Change Task Close task fails. |
| The system has detected a hardware change on a device (for example, new or removed board, flash, or memory chip.) |
| A link down event has been received from a device. |
| A memory event has been received from a device. |
| A change to the operating system version has been detected. |
| A user or policy Remediate action with a rule, rule set, or all assigned rules has failed for a device. |
| A security event has been received from a device. |
| A high severity event (0/1) has been received from the device. |
| A user or policy-based configuration snapshot for a device failed. |
| A system reboot has been detected on a device. |
This topic describes how to add, edit, or copy keywords for policy conditions and also shows some examples.
To add, edit, or copy keywords for policy conditions
- Open the Keywords page by clicking the Policies tab, and selecting Policies > Keywords.
- On the Keywords page, perform one of the following actions:
- To add a new keyword, click Add.
- To edit an existing keyword, click Edit.
- To create a new keyword by copying and editing an existing keyword, click Copy.
- Enter a unique name for the keyword, up to 40 characters.
- Select the type of keyword: Event, Change, or Discrepancy. You cannot edit the keyword type after it is saved.
- Enter or update information in the displayed fields:
For an Event keyword:
The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.
This macro generates standalone content. As a consequence you need to make sure to use a syntax that separates your macro from the content before and after it so that it's on a line by itself. For example in XWiki Syntax 2.0+ this means having 2 newline characters (a.k.a line breaks) separating your macro from the content before and after it.
For a Change keyword:
The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.
This macro generates standalone content. As a consequence you need to make sure to use a syntax that separates your macro from the content before and after it so that it's on a line by itself. For example in XWiki Syntax 2.0+ this means having 2 newline characters (a.k.a line breaks) separating your macro from the content before and after it.
For a Discrepancy keyword:
The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.
This macro generates standalone content. As a consequence you need to make sure to use a syntax that separates your macro from the content before and after it so that it's on a line by itself. For example in XWiki Syntax 2.0+ this means having 2 newline characters (a.k.a line breaks) separating your macro from the content before and after it.
- Click Save.
Back to top
Editing examples
The following figures show the editing of out-of-the-box keywords, one of each type (Change, Event, and Discrepancy). Click each figure to enlarge.
Back to top
Viewing-the-keywords-listing