add system event-handler

2 files changed, 50 insertions, 1 deletions

diff --git a/docs/system/eventhandler.rst b/docs/system/eventhandler.rst
new file mode 100644
index 00000000..6204abcc
--- /dev/null
+++ b/docs/system/eventhandler.rst
@@ -0,0 +1,48 @@
+.. _event-handler:
+
+Event Handler
+-------------
+
+Event handler allows you to execute scripts when a string that matches a regex appears in a text stream (e.g. log file).
+
+It uses "feeds" (output of commands, or a named pipes) and "policies" that define what to execute if a regex is matched.
+
+.. code-block:: sh
+
+  system
+  event-handler
+      feed <name>
+      description <feed description>
+      policy <policy name>
+      source
+          preset
+          syslog # Use the syslog logs for feed
+          custom
+          command <command to execute> # E.g. "tail -f /var/log/somelogfile"
+          named-pipe <path to a names pipe>
+      policy <policy name>
+      description <policy description>
+      event <event name>
+          description <event description>
+          pattern <regex>
+          run <command to run>
+
+In this small example a script runs every time a login failed and an interface goes down
+
+.. code-block:: sh
+
+  vyos@vyos# show system event-handler 
+  feed Syslog {
+      policy MyPolicy
+      source {
+          preset syslog
+      }
+  }
+  policy MyPolicy {
+      description "Test policy"
+      event BadThingsHappened {
+          pattern "authentication failure"
+          pattern "interface \.* index \d+ .* DOWN.*"
+          run /config/scripts/email-to-admin 
+      }
+  }
\ No newline at end of file
diff --git a/docs/system/index.rst b/docs/system/index.rst
index aa414a82..7cd641fa 100644
--- a/docs/system/index.rst
+++ b/docs/system/index.rst
@@ -10,7 +10,8 @@ should be ready for further configuration which is described in this chapter.
 .. toctree::
    :maxdepth: 2
    :hidden:
-
+   
+   eventhandler
    host-information
    systemusers
    syslog