Turning On Logging

Problem

You want to monitor all systemwide operations by saving all log messages to a file on the router.

Solution

Use the following commands to save all log messages to a file called messages:

	[edit]
	aviva@router1# set system syslog file  messages  any info 

 

Discussion

The most common place to save system logging messages is on the router. If you do not configure logging, it is turned on by default and sends messages to the file messages (located in /var/log on M-series and T-series routers and in /cf/var/log on J-series routers). The messages logged are those from all facilities that have a severity notice and all authorization messages. If you were to configure the default settings, the configuration file would look like this:

	[edit system syslog]
	file messages {
	 any notice;
	 authorization info;
	}

This recipe modifies the default so messages from all facilities (any) and all severities (info) are logged. Keep in mind that for a given severity level, the software logs all messages at that level and at all more serious levels, so when you specify the lowest severity level, info, you are in effect recording all system log messages except for debug messages. You could also specify any instead of info here.

When you want to review the system log messages, use the show log command. In all system log message files, the messages are listed in order, from oldest to newest. As the file gets large, you have to scroll through a lot of lines to get to the most recent messages. You can shorten the output by using some of the CLI command filters. For example, you can specify today's date and time to list only the most recent messages (match is simply the Unix grep utility):

	aviva@router1> show log messages | match "Mar 9 11:5"
	Mar 9 11:54:31 router1 login: LOGIN_INFORMATION: User aviva logged in from host
	172.17.28.19 on device ttyp1
	Mar 9 11:54:34 router1 mgd[29108]: UI_DBASE_LOGIN_EVENT: User 'aviva' entering
	configuration mode
	Mar 9 11:56:13 router1 mgd[29108]: UI_DBASE_LOGOUT_EVENT: User 'aviva' exiting
	configuration mode
	Mar 9 11:57:52 router1 mgd[28332]: UI_DBASE_LOGOUT_EVENT: User 'aviva' exiting
	configuration mode

If you want to find out who has logged in to the router today, you can set up a chain of filters:

	aviva@router1> show log messages | match LOGIN | match "Mar 16"
	Mar 16 11:00:53 router1 login: LOGIN_INVALID_LOCAL_USER: No entry in local password
	file for user pwd
	Mar 16 11:00:54 router1 login: 
LOGIN_PAM_AUTHENTICATION_ERROR: PAM auhentication
	error for user pwd
	Mar 16 11:00:54 router1 login: LOGIN_FAILED: Login failed for user pwd from host
	Mar 16 11:00:55 router1 login: LOGIN_INFORMATION: User root logged in from host
	[unknown] on device ttyd0
	Mar 16 21:57:59 router1 login: LOGIN_INFORMATION: User aviva logged in from host
	172.17.28.108 on device ttyp0
	Mar 16 21:58:04 router1 mgd[4102]: UI_DBASE_LOGIN_EVENT: User 'aviva' entering
	configuration mode

You can create multiple system logging files to track messages from different sources and of different severities. Instead of sifting through the messages file to find out what users and processes have been logging in to the router, you can configure a system logging file for only those activities.

	[edit system syslog]
	aviva@router1# set file security authorization info

The following are examples of some of the logging messages that are saved as a result of this configuration:

	aviva@router1> show log security
	Mar 18 01:53:41 router1 init: ntp (PID 4194) exit on SIGHUP, will be restarted to
	get the new config
	Mar 18 01:53:41 router1 init: ntp (PID 4644) started
	Mar 18 01:54:16 router1 login: LOGIN_INFORMATION: User aviva logged in from host
	172.17.28.108 on device ttyp0
	Mar 18 01:55:41 router1 init: ntp (PID 4644) exit on SIGHUP, will be restarted to
	get the new config
	Mar 18 01:55:41 router1 init: ntp (PID 5006) started

By default, only the root user and users with the JUNOS maintenance permission can read the contents of logfiles (see Recipe 2.10). If a number of people need to be able to read a system logfile, you should change the permission on the file. This is similar to the Unix chmod utility.

	[edit system syslog]
	aviva@router1# set file messages archive world-readable
	aviva@router1# set file security archive world-readable

To verify that the file permissions have changed, use the file list detail command. The files are still owned by root, but they are readable by anyone.

	aviva@router1> file list detail /var/log
	-rw-rw-r-- 1 root wheel 5883 Mar 18 02:00 messages
	-rw-rw-r-- 1 root wheel 17638 Mar 18 02:01 security

 

See Also

Recipe 2.10


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net