Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Syslog Server Configuration on a Linux System

 

A secure Junos OS environment requires auditing of events and storing them in a local audit file. The recorded events are simultaneously sent to an external syslog server. A syslog server receives the syslog messages streamed from the device. The syslog server must have an SSH client with NETCONF support configured to receive the streamed syslog messages.

Use the configuration details to establish session between the target of evaluation (TOE) and the audit server. Examine the generated audit data transferred to the audit server.

The NDcPP logs capture the following events:

  • Changes to secret key data in the configuration.

  • Committed changes.

  • Login and logout of users.

  • System startup.

  • Failure to establish an SSH session.

  • Establishment or termination of an SSH session.

  • Changes to the (system) time.

  • Termination of a remote session by the session locking mechanism.

  • Termination of an interactive session.

  • Changes to modification or deletion of cryptographic keys.

  • Password resets.

  • Capture all changes to the configuration.

  • Store logging information remotely.

Configuring Event Logging to a Remote Server

To configure event logging to a remote server when the SSH connection to the ToE is initiated from the remote system log server.

  1. Generate an RSA public key on the remote syslog server.

    You will be prompted to enter the desired pass phrase. The storage locations for the syslog-monitor key pair is displayed.

  2. On the TOE, create a class named monitor that has permission to trace events.
  3. Create a user named syslog-mon with the class monitor, and with authentication that uses the syslog-monitor key pair from the key pair file located on the remote syslog server.
  4. Set up NETCONF with SSH.
  5. Configure syslog to log all the messages at /var/log/messages..
  6. On the remote system log server, start up the SSH agent ssh-agent. The start up is required to simplify the handling of the syslog-monitor key.
  7. On the remote syslog server, add the syslog-monitor key pair to the ssh-agent.

    You will be prompted to enter the desired passphrase. Enter the same passphrase used in Step 1.

  8. After logging in to the external_syslog_server session, establish a tunnel to the device and start NETCONF.
  9. After NETCONF is established, configure a system log events message stream. This RPC will cause the NETCONF service to start transmitting messages over the SSH connection that is established.

    <rpc><get-syslog-events><stream>messages</stream></get-syslog-events></rpc>

  10. The examples for syslog messages are listed below. Monitor the event log generated for admin actions on TOE are received on syslog server. Examine the traffic that passes between the audit server and the TOE, observing that these data are not viewed during this transfer, and that they are successfully received by the audit server. Match the logs between local event logging and remote event logged in syslog server and record the particular software (name, version) used on the audit server during testing.

The following output shows test log results for syslog-server.

Net configuration channel

The following output shows event logs generated on the TOE that are received on the syslog server.

Net configuration channel

The following output shows that the local syslogs and remote syslogs received were similar.