EDR Format Configuration Mode Commands

The EDR Format Configuration Mode enables configuring Event Data Record (EDR) formats.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

attribute

This command allows you to specify the fields and their order in EDRs.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
attribute attribute { [ format { MM/DD/YY-HH:MM:SS | MM/DD/YYYY-HH:MM:SS | YYYY/MM/DD-HH:MM:SS | YYYYMMDDHHMMSS | seconds } ] [ localtime ] | [ { ip | tcp } { bytes | pkts } { downlink | uplink } ] priority priority }no attribute attribute [ { ip | tcp } { bytes | pkts } { downlink | uplink } ] [ priority priority ]
no

If added previously, removes the specified attribute from the EDR format.

attribute

Specifies the attribute.

attribute must be one of the following:

Attributes Description

radius-called-station-id

This attribute reports the Called Station ID of the mobile handling the flow.

radius-calling-station-id

This attribute reports the Calling Station ID of the mobile handling the flow.

radius-fa-nas-identifier

This attribute reports the RADIUS NAS identifier of Foreign Agent (FA).

radius-fa-nas-ip-address

This attribute reports the RADIUS IP address of Foreign Agent (FA).

radius-nas-identifier

This attribute reports the RADIUS NAS identifier.

radius-nas-ip-address

This attribute reports the RADIUS NAS IP address.

radius-user-name

This attribute reports the user name associated with the flow.

sn-3gpp2-always-on

This option has been deprecated.

To configure this attribute see the rule-variable command.

sn-3gpp2-bsid

This option has been deprecated.

To configure this attribute see the rule-variable command.

sn-3gpp2-esn

This option has been deprecated.

To configure this attribute see the rule-variable command.

sn-3gpp2-ip-qos

This option has been deprecated.

To configure this attribute see the rule-variable command.

sn-3gpp2-ip-technology

This option has been deprecated.

To configure this attribute see the rule-variable command.

sn-3gpp2-release-indicator

This option has been deprecated.

To configure this attribute see the rule-variable command.

sn-3gpp2-service-option

This option has been deprecated.

To configure this attribute see the rule-variable command.

sn-3gpp2-session-begin

This option has been deprecated.

To configure this attribute see the rule-variable command.

sn-3gpp2-session-continue

This option has been deprecated.

To configure this attribute see the rule-variable command.

sn-acct-session-id

This attribute reports the unique session identifier for accounting.

sn-app-protocol

This attribute reports the application protocol for the flow. A value indicating the protocol, such as one of the following:

  • ACS_PROTO_UNKNOWN = 0
  • ACS_PROTO_GTP = 1
  • ACS_PROTO_IP = 2
  • ACS_PROTO_TCP = 3
  • ACS_PROTO_UDP = 4
  • ACS_PROTO_HTTP = 5
  • ACS_PROTO_HTTPS = 6
  • ACS_PROTO_FTP = 7
  • ACS_PROTO_FTP_CONTROL = 8
  • ACS_PROTO_FTP_DATA = 9
  • ACS_PROTO_WTP = 10
  • ACS_PROTO_WSP = 11
  • ACS_PROTO_WTP_WSP_CONNECTION_ORIENTED = 12
  • ACS_PROTO_WSP_CONNECTION_LESS = 13
  • ACS_PROTO_DNS = 14
  • ACS_PROTO_ICMP = 15
  • ACS_PROTO_POP3 = 16
  • ACS_PROTO_SIP = 17
  • ACS_PROTO_SDP = 18
  • ACS_PROTO_SMTP = 19
  • ACS_PROTO_EMAIL = 20
  • ACS_PROTO_MMS = 21
  • ACS_PROTO_FILE_TRANSFER = 22
  • ACS_PROTO_WWW = 23
  • ACS_PROTO_RTP = 24
  • ACS_PROTO_RTSP = 25
  • ACS_PROTO_IMAP = 26
  • ACS_PROTO_FLOW = 27
  • ACS_PROTO_CCA = 28
  • ACS_PROTO_P2P = 29
  • ACS_PROTO_RTCP = 30
  • ACS_PROTO_ICMPV6 = 31
  • ACS_PROTO_TFTP = 32
  • ACS_PROTO_PPTP = 33
.
  • ACS_PROTO_GREv1 = 34
  • ACS_PROTO_PPTP_GRE = 35
  • ACS_PROTO_SIP_ADV = 36
  • ACS_PROTO_SIP_BASIC_ADV = 37
  • ACS_PROTO_H323 = 38
  • ACS_PROTO_ESP = 50

sn-cf-category-classification-used

For Category-based Content Filtering, this attribute reports the last classification used by system for the flow, or blank if classification was never successfully performed.

For URL Blacklisting, specifies category of the blacklisted URL in the Blacklist database.

sn-cf-category-flow-action

For Category-based Content Filtering, this attribute reports the last action taken for the flow, or blank if content filtering was never performed. The following are the possible values:

  • allow
  • content-insert
  • discard
  • redirect-url
  • terminate-flow

For URL Blacklisting, this attribute reports the last action taken for the flow, or blank if Blacklist matching was never performed. The following are the possible values:

  • discard
  • terminate-flow
  • redirect-url
  • www-reply-code-terminate-flow

sn-cf-category-policy

For Category-based Content Filtering, this attribute reports the category policy identifier that was used for the flow, or blank if content filtering was never attempted for the flow.

sn-cf-category-rating-type

For Category-based Content Filtering, this attribute reports the type, either “static” or “dynamic” that was last successfully performed for the flow, or blank if content filtering was never successful for the flow.

For URL Blacklisting, specifies “blacklisting”.

sn-cf-category-unknown-url

This attribute reports the identifier for unknown URL under content filtering action. It holds either “1” for unknown URLs or “0” for the URLs having static rating in its database.

sn-closure-reason

This attribute reports the reason for termination of the flow/EDR:

  • 0: Normal end of flow
  • 1: End of flow by handoff processing
  • 2: Subscriber session terminated
  • 3: Inter-chassis Session Recovery switchover
  • 12: Completion of transaction

sn-correlation-id

This attribute reports the RADIUS correlation identifier.

sn-direction

This attribute reports the direction of the first packet for the flow. It has following values:

  • toMobile: This value appears when direction of first packet is towards mobile node.
  • fromMobile: This value appears when direction of first packet is towards mobile node.
  • unknown: This value appears when the original originator of a flow can not be determined (for example, a flow that is interrupted due to a Inter-chassis Session Recovery switchover).

sn-duration

This attribute reports the duration between the last and first packet for the record.

sn-end-time [ format format ] localtime

This attribute reports the timestamp for last packet of flow in UTC.

sn-fa-correlation-id

This attribute reports the RADIUS Correlation Identifier of the Foreign Agent (FA).

sn-fa-ip-address

This attribute reports IP address of the Foreign Agent (FA).

sn-filler-blank

This attribute inserts a blank filler field, generates an empty EDR field.

sn-filler-zero

This attribute inserts a “0” in the EDR field.

sn-flow-end-time

This attribute reports the time of flow-end EDR generation—when EDRs are generated at hagr, session-end, timeout, or normal-end-signaling conditions.

sn-start-time and sn-end-time fields of flow end-condition EDRs cannot be used to determine the duration of the flow if intermediate EDRs are generated (rule-match or transaction-complete or any other intermediate EDR).

sn-start-time field in an EDR gives the time the first packet was received after the last EDR was generated. So, whenever an EDR is generated, this field is reset to the time the EDR gets generated. So the sn-start-time field in flow end-condition EDRs may not have the time of the first packet received on that flow. It will have the time at which the last EDR was generated or the first packet time if no EDR was generated for that flow.

sn-end-time field gives the time at which the last packet on the flow was received. Flow end-condition EDRs may not be generated immediately after receiving the last packet. For example, in case of session-end or timeout EDRs, last packet time and EDR generation time may be different.

sn-flow-start-time gives the time of the first packet of the flow (irrespective of whether intermediate EDRs were generated), and sn-flow-end-time gives the time when EDRs are generated at hagr, session-end, timeout or normal-end-signaling conditions. The values of these fields will be populated in EDRs only for hagr, session-end, timeout and normal-end-signaling EDRs.

sn-flow-id

This attribute reports the flow-id assigned internally by the ECS module to each flow.

sn-flow-start-time

This attribute reports the time of the first packet of the flow (irrespective of whether intermediate EDRs were generated).

Also see, sn-flow-end-time.

sn-format-name

This attribute reports the name of the EDR/UDR format used.

sn-group-id

This attribute reports the sequence group ID of the record.

sn-ha-ip-address

This attribute reports IP address of the Home Agent (HA).

sn-nat-binding-timer

For Network Address Translation (NAT) in-line service, this attribute reports the port chunk hold timer.

sn-nat-gmt-offset

For NAT in-line service, this attribute reports the GMT offset of the node generating NAT bind record.

sn-nat-ip

For NAT in-line service, this attribute reports the NAT IP address of the port chunk.

sn-nat-last-activity-time-gmt

For NAT in-line service, this attribute reports the time when the last flow in a specific NAT set of flows was seen.

sn-nat-port-block-end

For NAT in-line service, this attribute reports the last port number of the port chunk.

sn-nat-port-block-start

For NAT in-line service, this attribute reports the starting port number of the port chunk.

sn-nat-port-chunk-alloc-dealloc-flag

For NAT in-line service, this attribute reports whether the port chunk is allocated or released.

sn-nat-port-chunk-alloc-time-gmt

For NAT in-line service, this attribute reports when the port chunk was allocated.

sn-nat-port-chunk-dealloc-time-gmt

For NAT in-line service, this attribute reports when the port chunk was released.

sn-nat-realm-name

For NAT in-line service, this attribute reports the name of the NAT realm.

sn-nat-subscribers-per-ip-address

For NAT in-line service, this attribute reports the subscriber(s) per NAT IP address.

sn-parent-protocol

This attribute reports the parent protocol of the flow.

An integer value like in sn-app-protocol; for RTCP/RTP flows, the parent protocol may be RTSP or SIP; for GRE flows, the parent protocol will be PPTP, and so on.

sn-rulebase

This attribute reports the name of the ECS rulebase applied.

sn-sequence-no

This attribute reports the unique sequence number (per sn-sequence-group and radius-nas-ip-address) of EDR identifier and linearly increasing in EDR file.

sn-server-port

This attribute reports the TCP/UDP port number of the server in a subscriber’s data flow.

sn-start-time [ format format ] localtime

This attribute reports the timestamp for last packet of flow in UTC.

sn-subscriber-nat-flow-ip

For NAT in-line service, this attribute reports the NAT IP address of NAT-enabled subscriber.

sn-subscriber-nat-flow-port

For NAT in-line service, this attribute reports the NAT port number of NAT-enabled subscriber.

sn-subscriber-port

This attribute reports the TCP/UDP port number of the Mobile handling subscriber data flow.

sn-volume-amt { ip | tcp } { bytes | pkts } { uplink | downlink }

This attribute reports IP/TCP protocol-specific volume amount of downlink/uplink bytes/packets during a flow. This includes all the bytes/packets received by ECS, including the bytes/packets dropped and retransmitted by ECS.

sn-volume-dropped-amt { ip | tcp } { bytes | packets } { downlink | uplink }

For Stateful Firewall in-line service, this attribute reports IP/TCP protocol-specific volume amount of downlink/uplink bytes/packets dropped by Stateful Firewall during a flow.

sn-volume-ip-with-rtsp-or-rtp bytes { downlink | priority | uplink }

This attribute reports the IP volume amount of downlink/uplink bytes of an RTSP flow and the RTP flows controlled by it, or Comma Separated Value (CSV) position priority of this field. If uplink or downlink is not specified it shows the total of both.

transaction-downlink-bytes

This attribute reports the total downlink bytes for the transaction.

transaction-downlink-packets

This attribute reports the total downlink packets for the transaction.

transaction-uplink-bytes

This attribute reports the total uplink bytes for the transaction.

transaction-uplink-packets

This attribute reports the total uplink packets for the transaction.



format { MM/DD/YY-HH:MM:SS | MM/DD/YYYY-HH:MM:SS | YYYY/MM/DD-HH:MM:SS | YYYYMMDDHHMMSS | seconds }

Specifies the timestamp format.

localtime

Specifies timestamps with the local time. By default, timestamps are displayed in GMT/UTC.

{ ip | tcp } { bytes | pkts } { downlink | uplink }

Specifies bytes/packets sent/received from/by mobile.

priority priority

Specifies the position priority of the value within the EDR record. Lower numbered priorities (across all attribute, event-label, and rule-variable) occur first.

priority must be an integer from 1 through 65535. Up to 50 position priorities (across all attribute, event-label, and rule-variable) can be configured.


Usage:

Use this command to set the attributes and priority for EDR file format.

A particular field in EDR format can be entered multiple times at different priorities. While removing the EDR field using the no attribute command either you can remove all occurrences of a particular field by specifying the field name or a single occurrence by additionally specifying the optional priority keyword.


Example:
The following is an example of this command:
attribute radius-user-name
priority 12
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

event-label

This command allows you to specify an optional event label/identifier to be used as an attribute in the EDRs.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
event-label event_label priority priorityno event-label
no

If previously configured, removes the event label configuration.

event_label

Specifies the event label/identifier to be used as EDR attribute.

event_label must be an alphanumeric string of 1 through 63 characters.

priority priority

Specifies the Comma Separated Value (CSV) position of the attribute (label/identifier) in the EDR.

priority must be an integer from 1 through 65535.


Usage:

Use this command to configure an optional event label/identifier as an attribute in the EDR and its position in the EDR.


Example:
The following is an example of this command:
event-label radius_csv1
priority 23
exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

rule-variable

This command allows you to specify fields and their order in EDRs.

Platform:

ASR 5000

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
rule-variable rule_variable priority priority [ in-quotes ]no rule-variable rule_variable [ priority priority ]
no

If previously configured, removes the specified rule variable configuration.

rule_variable

Specifies the rule variable for the EDR format.

rule_variable must be one of the following options:

  • bearer 3gpp: 3GPP bearer-related fields:
    • charging-id: Charging ID of the bearer flow
    • imei: IMEI or IMEISV (depending on the case) associated with the bearer flow. Only available in StarOS 8.1 and later releases.
    • imsi: Specific Mobile Station Identification number.
    • rat-type: RAT type associated with the bearer flow. Only available in StarOS 8.1 and later releases.
    • sgsn-address: SGSN associated with the bearer flow. Only available in StarOS 8.1 and later releases. For MIPv6 calls, sgsn-address field is populated with HSGW address.
    • user-location-information: User location information associated with the bearer flow. Only available in StarOS 8.1 and later releases.
  • bearer 3gpp2: 3GPP2 bearer-related fields:
    • always-on: 3GPP2 always on indicator
    • bsid: 3GPP2 BSID
    • esn: 3GPP2 ESN
    • ip-qos: 3GPP2 IP QoS
    • ip-technology: 3GPP2 IP technology
    • release-indicator: 3GPP2 release indicator
    • service-option: 3GPP2 service option
    • session-begin: 3GPP2 session begin indicator
    • session-continue: 3GPP2 session continue indicator
  • bearer ggsn-address: GGSN IP address field. For MIPv6 calls, ggsn-address field in EDR will be populated with PGW address.
  • dns: Domain Name System (DNS) related fields:
    • answer-name: DNS answer name. This depends upon query type.
    • previous-state: DNS previous state information
    • query-name: DNS query name
    • return-code: DNS query response code
    • state: DNS current state information
    • tid: DNS Transaction Identifier
  • file-transfer: File Transfer related fields:
    • chunk-number: Number of chunks
    • current-chunk-length: Length of current chunk
    • declared-chunk-length: Declared size of the chunk
    • declared-file-size: Declared size of the file
    • filename: Name of the file being transferred
    • previous-state: Previous state of session
    • state: Current state of session
    • transferred-file-size: Transferred size of the file
  • ftp: File Transfer Protocol (FTP) related fields:
    • client-ip-address:
    • client-port
    • command name: Command sent
    • connection-type
    • filename: File name being transferred in any of the FTP-related FTP command
    • pdu-length: FTP PDU length
    • pdu-type
    • previous-state: Previous state of FTP session
    • reply code
    • server-ip-address
    • server-port
    • session-length: Total length of FTP session
    • state: Current state of FTP session
    • url: URL of file
    • user: User identifier
  • http: Hypertext Transport Protocol (HTTP) related fields:
    • ad-delivered: advertisement delivered using TPO text-with-click
    • ad-replaced: advertisement replaced with TPO 0-byte response
    • attribute-in-data: dynamic header field in application payload
    • attribute-in-url: dynamic header field in URL
    • compression-bytes-in: TPO compression bytes in
    • compression-bytes-out: TPO compression bytes out
    • content disposition
    • content length
    • content type
    • domain
    • dns-resolution-locally: TPO DNS resolution done locally
    • dns-resolution-remotely: TPO DNS resolution done remotely
    • header-length: HTTP header length
    • host
    • payload-length: Payload length
    • pdu-length
    • previous-state: Previous state of session
    • referer
    • reply code: HTTP response
    • request method: HTTP request method
    • session-length: Total length of HTTP session
    • state: Current state of session
    • tpo-enabled: TPO enabled/disabled for HTTP
    • transaction-length: Total length of HTTP transaction
    • transfer-encoding: Transfer encoding
    • uri: Uniform Resource Identifier
    • url: Uniform Resource Locator
    • user-agent
    • version
    • x-header: extension header
  • icmp: Internet Control Message Protocol (ICMP) related fields:
    • code: ICMP code
    • type: ICMP type
  • icmpv6: Internet Control Message Protocol Version 6 (ICMPv6) related fields:
    • code: ICMPv6 code
    • type: ICMPv6 type
  • imap: Internet Message Access Protocol (IMAP) related fields:
    • cc: IMAP e-mail CC field
    • command: IMAP command
    • content
    • date: IMAP e-mail Date field
    • final-reply: IMAP final reply
    • from: IMAP e-mail From field
    • mail-size: IMAP size of e-mail in RFC822 format
    • mailbox-size: IMAP number of e-mails in the mailbox
    • message-type: IMAP message type
    • previous-state: IMAP session previous state
    • session-length: IMAP session length
    • session-previous-state: IMAP session previous state
    • session-state: IMAP session state
    • state: IMAP state
    • subject: IMAP e-mail Subject field
    • to: IMAP e-mail To field
  • ip: Internet Protocol (IP) related fields:
    • dst-address: destination IP address
    • protocol: Protocol being transported by IP packet
    • server-ip-address: IP address of server. This field in EDR contains either the IPv4 or IPv6 address of the server for a particular flow (flow level). The maximum length of this field is 48 characters. For an IPv6 address, the maximum length is 45 characters; for an IPv4 address, the maximum length is 15 characters.
    • src-address: Source IP address
    • subscriber-ip-address: IP address of subscriber. This field in EDR contains either the IPv4 or IPv6 address of the client/subscriber for a particular call (subscriber level). The value of this field does not change for a particular call. The maximum length of this field is 48 characters. For an IPv6 address, the maximum length is 45 characters. For an IPv4 address, the maximum length is 15 characters.
    • total-length: Total length of packet, including payload
    • version: IP version
  • mms: Multimedia Message Service (MMS) related fields:
    • bcc
    • cc
    • content location
    • content type
    • date [ format { MM/DD/YYYY-HH:MM:SS | YYYY/MM/DD-HH:MM:SS } ]
    • from
    • message-size
    • previous-state
    • response status
    • state
    • subject
    • tid
    • to
  • p2p protocol: Peer-to-peer protocol field.
  • pop3: Post Office Protocol version 3 (POP3) related fields:
    • command name: Command of POP3 session
    • mail-size: Mail size
    • pdu-length: Length of POP3 PDU
    • pdu-type: Type of packet
    • previous-state: Previous state of POP3 session
    • reply status: Reply for the POP3 command
    • session-length: Total length of POP3 session
    • state: Current state of POP3 session
    • user-name: User of POP3 session
  • rtcp: RTP Control Protocol (RTCP) related fields:
    • control-session-flow-id: Flow ID of the controlling RTSP/SIP session
    • jitter: RTCP interarrival jitter
    • rtsp-id: RTSP ID of the RTCP flow
    • uri: URI of the control protocol related to the RTCP flow
  • rtp: Real-time Transfer Protocol (RTP) related fields:
    • control-session-flow-id: Flow ID of the controlling RTSP/SIP session
    • pdu-length: Length of RTP PDU
    • rtsp-id: RTSP ID of the flow
    • session-length: Total length of RTP session
    • uri: URI of the control protocol related to the RTP flow
  • rtsp: Real Time Streaming Protocol (RTSP) related fields:
    • command-id: RTSP command ID
    • content type
    • date: RTSP Date field
    • previous-state: RTSP previous state
    • reply code
    • request method 1: play method
    • request method 2: setup method
    • request method 3: pause method
    • request method 4: record method
    • request method 5: options method
    • request method 6: redirect method
    • request method 7: describe method
    • request method 8: announce method
    • request method 9: teardown method
    • request method 10: get-parameter method
    • request method 11: set-parameter method
    • request packet
    • rtp-uri: RTSP RTP-Info stream-uri field
    • session-id: RTSP session-id field
    • session-length: Total number of bytes passed through the RTSP data session
    • state: RTSP state
    • uri: RTSP uri field
    • uri sub-part
    • user-agent: RTSP user-agent field
  • sdp: Session Description Protocol (SDP) related fields:
    • connection-ip-address: IP address in SDP connection field
    • media-audio-port: Port used for audio media
    • media-video-port: Port used for video media
  • secure-http: HTTPS related field.
  • sip: Session Initiation Protocol (SIP) related fields:
    • call-id: SIP call-id field
    • content type
    • from: SIP From field
    • previous-state: SIP previous state
    • reply code
    • request method
    • request packet
    • state: SIP state
    • to: SIP To field
    • uri: SIP URI field
    • uri sub-part
  • smtp: Simple Mail Transfer Protocol (SMTP) related fields:
    • command name: Command of SMTP session
    • mail-size: Size of given mail
    • pdu-length: Length of SMTP PDU
    • previous-state: Previous state of SMTP session
    • recipient: SMTP e-mail Recipient field
    • reply status: Response for the SMTP command
    • sender: SMTP e-mail Sender field
    • session-length: Total length of SMTP session
    • state: Current state of SMTP session
  • tcp: Transmission Control Protocol (TCP) related fields:
    • dst-port: TCP destination port
    • duplicate: TCP retransmitted/duplicate packet
    • flag: Current packet TCP flag
    • out-of-order: TCP out of order packet analyzed
    • payload-length: TCP payload length
    • previous-state: Previous state of MS
    • src-port: TCP source port
    • state: Current state of MS
    • tpo-enabled: TPO enabled/disabled for TCP
  • traffic-type: Traffic type of flow (voice or non-voice depending upon flow type).
  • udp: User Datagram Protocol (UDP) related fields:
    • dst-port: UDP destination port
    • src-port: UDP source port
  • voip-duration: Duration of voice call, in seconds. For a flow in which voice call end is detected, output will be a non-zero value. For other flows it will be zero.
  • wsp: Wireless Session Protocol (WSP) related fields:
    • content type
    • domain: WSP domain name
    • host: WSP host name
    • pdu-length: WSP PDU length
    • pdu-type: WSP PDU type
    • reply code
    • session-length: WSP total packet length
    • tid: WSP transaction identifier
    • total-length: WSP total packet length
    • url: WSP URL
    • user-agent: WSP user agent
  • wtp: Wireless Transaction Protocol (WTP) related fields:
    • gtr: Group Transmission Flag
    • pdu-length: PDU length of the WTP packet
    • pdu-type: WTP protocol data unit information
    • previous-state: WTP previous state information
    • state: WTP current state information
    • tid: WTP transaction identifier
    • transaction class: WTP transaction class
    • ttr: WTP Trailer Transmission flag

IMPORTANT:

For more information on protocol-based rules, see the ACS Ruledef Configuration Mode Commands chapter.

priority priority

Specifies the CSV position of the field (protocol rule) in the EDR.

priority must be an integer from 1 through 65535.

in-quotes

Specifies placing double quotes (“ ”) around the specified field in the EDR.

IMPORTANT:

In this release, this keyword is only valid for the MMS protocol to and subject fields. rule-variable mms to priority priority [in-quotes] rule-variable mms subject priority priority [in-quotes]


Usage:

Use this command to specify what field appears in which order in the EDR.

A particular field in an EDR format can be entered multiple times with different priorities. While removing the EDR field using the no rule-variable command you can remove all occurrences of a particular field by specifying the field name or a single occurrence by additionally specifying the optional priority keyword.


Example:
The following is an example of this command:
rule-variable tcp dst-port
priority 36