A message discriminator is a syslog processor. A message discriminator is associated with a syslog session and binds that session to a transport connection.
Prior to message delivery, the message is subject to the message discriminator with a user-specified list of criteria. After the first filtering criterion results in a message being blocked, the filtering check stops.
The sequence of criteria in the CLI does not affect the sequence in which criteria are checked.
- Following are filtering criteria. These criteria are checked in the order listed here:
- Severity level or levels specified
- Facility within the message body that matches a regular expression
- Mnemonic that matches a regular expression
- Part of the body of a message that matches a regular expression
A message discriminator offers the following capabilities:
- Optional rate limiting—Transmission rate of messages specifies a per time interval that is not to be exceeded. If the rate limit is exceeded, messages are either delayed or dropped, at the discretion of the device. The application of a rate limiter means that reliable delivery of syslog messages over that syslog session is no longer guaranteed. The purpose of a rate limiter is to avoid potential “flooding” at recipient syslog servers for applications that do not require guaranteed syslog delivery.
- Correlating—Inspecting candidate event messages and possibly aggregating information across events, creating a new event that contains the aggregated information. Correlating functions include:
- Elimination of duplicate messages by maintaining a message count and waiting a specific time period between sending the first message of a certain type and sending the next message of that type.
- Elimination of oscillating messages.
- Simple message correlation; for example, if one message is a symptom of a cause reported by another message, one consolidated message is reported.
A message discriminator can be associated with a specific destination and transport; that is, the filter can be host dependent. For this reason, a message discriminator is attached to a syslog session, transport, or channel, with possible device support for multiple sessions, transports, or channels, each of which can be attached to a different discriminator.
The establishment of a message discriminator should be separate from the establishment of a syslog session. A message discriminator should refer to the syslog session, transport, or channel to which it should be attached. The reasons for the separation are the following:
- Message discriminators can be managed separately from the connections. Refinements in the capabilities available to set up message discriminators need not affect how syslog sessions are set up and vice versa.
- Multiple connections can be attached to the same message discriminator, allowing for various syslog redundancy topologies.
When an explicit message discriminator is not associated with a syslog session, the generic message discriminator from the device-wide global settings is used. You can create an “empty” message discriminator without specifying attribute values (no rate limit and no filter configured).