Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Event Logging

 

Event Logging Overview

The evaluated configuration requires the auditing of configuration changes through the system log.

In addition, Junos OS can:

  • Send automated responses to audit events (syslog entry creation).

  • Allow authorized managers to examine audit logs.

  • Send audit files to external servers.

  • Allow authorized managers to return the system to a known state.

The logging for the evaluated configuration must capture the following events:

  • Changes to secret key data in the configuration.

  • Committed changes.

  • Login/logout of users.

  • System startup.

  • Failure to establish an SSH session.

  • Establishment/termination of an SSH session.

  • Changes to the (system) time.

  • Termination of a remote session by the session locking mechanism.

  • Termination of an interactive session.

In addition, Juniper Networks recommends that logging also:

  • Capture all changes to the configuration.

  • Store logging information remotely.

Configuring Event Logging to a Local File

You can configure storing of audit information to a local file with the syslog statement. This example stores logs in a file named Audit-File:

Interpreting Event Messages

The following output shows a sample event message.

Table 1 describes the fields for an event message. If the system logging utility cannot determine the value in a particular field, a hyphen ( - ) appears instead.

Table 1: Fields in Event Messages

FieldDescriptionExamples

timestamp

Time when the message was generated, in one of two representations:

  • MMM-DD HH:MM:SS.MS+/-HH:MM, is the month, day, hour, minute, second and millisecond in local time. The hour and minute that follows the plus sign (+) or minus sign (-) is the offset of the local time zone from Coordinated Universal Time (UTC).

  • YYYY-MM-DDTHH:MM:SS.MSZ is the year, month, day, hour, minute, second and millisecond in UTC.

Feb 27 02:33:04 is the timestamp expressed as local time in the United States.
2012-02-27T09:17:15.719Z is 2:33 AM UTC on 27 Feb 2012.

hostname

Name of the host that originally generated the message.

router1

process

Name of the Junos OS process that generated the message.

mgd

processID

UNIX process ID (PID) of the Junos OS process that generated the message.

4153

TAG

Junos OS system log message tag, which uniquely identifies the message.

UI_DBASE_LOGOUT_EVENT

username

Username of the user initiating the event.

“admin”

message-text

English-language description of the event .

set: [system radius-server 1.2.3.4 secret]

Logging Changes to Secret Data

The following are examples of audit logs of events that change the secret data. Whenever there is a change in the configuration example, the syslog event should capture the below logs:

Everytime a configuration is updated or changed, the syslog should capture these logs:

Login and Logout Events Using SSH

System log messages are generated whenever a user successfully or unsuccessfully attempts SSH access. Logout events are also recorded. For example, the following logs are the result of two failed authentication attempts, then a successful one, and finally a logout:

Logging of Audit Startup

The audit information logged includes startups of Junos OS. This in turn identifies the startup events of the audit system, which cannot be independently disabled or enabled. For example, if Junos OS is restarted, the audit log contains the following information: