[j-nsp] event policy, matching event attributes without correlation

[Grzegorz Banasiak]

Hello everyone,

I want to reconfigure a router automatically according to the presence
or lack of presence of certain traffic (let's assume for the sake of
this thread that it is the only solution to a more general problem).

It seemed that appropriate combination of firewall filter counter, RMON
and event policy would do the job but I found the last mechanism
behaviour a little bit confusing.

Configuration (JUNOS 7.6R1.9):

[snmp rmon]
alarm 1 {
    interval 5;
    variable jnxFWBytes.x.y.z....; ## OID of a firewall filter counter
    sample-type delta-value;
    rising-threshold 1000;
    falling-threshold 0;
    falling-event-index 1;
    syslog-subtag thereIsNoTraffic;
}
alarm 2 {
    interval 5;
    variable jnxFWBytes.x.y.z....; ## as above
    sample-type delta-value;
    rising-threshold 1000;
    rising-event-index 2;
    syslog-subtag trafficPresent;
}
event 1 {
    description "There is no traffic";
    type log;
}
event 2 {
    description "Traffic present";
    type log;
}

[event-options]
policy wall-when-there-is-no-traffic {
    events SNMPD_RMON_EVENTLOG;
    within 60 {
        ## event that should never occur
        ## without "within" thing, "attributes-match" cannot be used
        not events SDXD_DAEMONIZE_FAIL;
    }
    attributes-match {
        SNMPD_RMON_EVENTLOG.subtag matches "thereIsNoTraffic";
    }
    then {
        execute-commands {
            commands {
                ## not a real configuration - just for test purposes
                "request message all message no-traffic";
            }
            output-filename wall-no-traffic;
            destination local;
            output-format text;
        }
    }
}
destinations {
    local {
        archive-sites {
            file:///var/home/...;
        }
    }
}

RMON monitors a firewall counter. If zero traffic is detected, RMON
raises event 1 with subtag "thereIsNoTraffic". If non-zero traffic (here
1000 B in 5 s) is detected, RMON raises event 2 with subtag
"trafficPresent". Event policy "wall-when-there-is-no-traffic" tries to
catch only the first event and display a message on all terminals.

Questions:
Why it is not possible to match event attributes (regexp) without
"within" clause? Is attribute matching meant to be used only in case of
correlation of *different* events? If so, how may I distinguish between
two different subtypes of the *same* event (SNMPD_RMON_EVENTLOG)? I
tried to bypass this problem by introducing a condition that should
never occur ("not events SDXD_DAEMONIZE_FAIL") but the above config
ignores the attribute match and reacts to both conditions - traffic
absent/present. Is there a way to raise two different events (from event
policy point of view) in this scenario?

TIA.