Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Event Logging Overview

 

The evaluated configuration requires the auditing of configuration changes through the system log.

In addition, Junos OS can:

  • Send automated responses to audit events (syslog entry creation).

  • Allow authorized managers to examine audit logs.

  • Send audit files to external servers.

  • Allow authorized managers to return the system to a known state.

The logging for the evaluated configuration must capture the events. The logging events are listed below:

Table 1 shows sample for syslog auditing for NDcPPv2:

Table 1: Auditable Events

Requirement

Auditable Events

Additional Audit Record Contents

How Event is Generated

FAU_GEN.1

None

None

FAU_GEN.2

None

None

FAU_STG_EXT.1

None

None

FAU_STG.1

None

None

FCS_CKM.1

None

None

FCS_CKM.2

None

None

FCS_CKM.4

None

None

FCS_COP.1/ DataEncryption

None

None

FCS_COP.1/SigGen

None

None

FCS_COP.1/Hash

None

None

FCS_COP.1/KeyedHash

None

None

FCS_RBG_EXT.1

None

None

FDP_RIP.2

None

None

FIA_AFL.1

Unsuccessful login attempts limit is met or exceeded.

Origin of the attempt (e.g., IP address).

sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD [junos@2636.1.1.1.2.164 limit="3" username="root"] Threshold for unsuccessful authentication attempts (3) reached by user 'root'

FIA_PMG_EXT.1

None

None

FIA_UIA_EXT.1

All use of identification and authentication mechanism.

Provided user identity, origin of the attempt (e.g., IP address).

Successful Remote Login

mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user'

mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli'

Unsuccessful Remote Login

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

Successful Local Login

login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0

login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module

login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0

FIA_UAU_EXT.2

All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address).

Successful Remote Login

mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user'

mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli'

Unsuccessful Remote Login

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

Successful Local Login

login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0

login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module

login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0

FIA_UAU.7

None

None

FMT_MOF.1/ ManualUpdate

Any attempt to initiate a manual update.

None

UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request system software add /var/tmp/junos-srxsme-20.2R1.1.tgz no-validate "] User 'sec-officer', command 'request system software add /var/tmp/junos-srxsme-20.2R1.1.tgz no-validate '

FMT_MTD.1/CoreData

All management activities of TSF data

None

Refer to the audit events listed in this table.

FMT_SMF.1/IPS

None

None

None

FMT_SMF.1/ND

None

None

None

FMT_SMF.1/FFW

All management activities of TSF data (including creation, modification and deletion of firewall rules).

None

<30>1 2020-08-11T11:15:00.025-07:00 cartier nsd 2095 NSD_SYS_TIME_CHANGE - System time has changed. <38>1 2020-08-11T11:15:25.214-07:00 cartier init - - - chassis-control (PID 2059) exited with status=69 <38>1 2020-08-11T11:15:25.217-07:00 cartier init - - - chassis-control (PID 47908) started <29>1 2020-08-11T11:16:08.805-07:00 cartier chassisd 47908 CHASSISD_RECONNECT_SUCCESSFUL - Successfully reconnected on soft restart

FMT_SMR.2

None

None

FPT_SKP_EXT.1

None

None

FPT_APW_EXT.1

None

None

FPT_TST_EXT.1

None

None

FPT_TUD_EXT.1

Initiation of update; result of the update attempt (success or failure)

None

UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request system software add /var/tmp/junos-srxsme-20.2R1.1.tgz no-validate "] User 'sec-officer', command 'request system software add /var/tmp/junos-srxsme-20.2R1.1.tgz no-validate '

FPT_STM.1

Discontinuous changes to time - either Administrator actuated or changed through an automated process.

For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address).

mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="root" command="set date 202005201815.00 "] User 'root', command 'set date 202005201815.00 '

mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message="signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled nsd 2641 NSD_SYS_TIME_CHANGE - System time has changed

FTA_SSL_EXT.1 (if terminate the session is selected)

The termination of a local interactive session by the session locking mechanism.

None

cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

None

cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.4

The termination of an interactive session.

None

mgd 71668 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.164 username="root"] User 'root' logout

FTA_TAB.1

None

None

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found.

Their offer: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc

FTP_ITC.1

Initiation of the trusted channel.

Termination of the trusted channel. Failure of the trusted channel functions

Identification of the initiator and target of failed trusted channels establishment attempt

Initiation of the trusted path

sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2

Termination of the trusted path

sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

FTP_TRP.1/Admin

Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions.

None

Initiation of the trusted path

sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2

Termination of the trusted path

sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482

Failure of the trusted path

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found.

Their offer: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc

FIA_X509_EXT.1/Rev

Unsuccessful attempt to validate a certificate

Reason for failure

verify-sig 72830 - - cannot validate ecerts.pem: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProduction TestEc_2017_NO_DEFECTS/emailAddress =ca@juniper.net

FIA_X509_EXT.2

None

None

FIA_X509_EXT.3

None

None

FMT_MOF.1/Functions

Modification of the behaviour of the transmission of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full.

None

mgd 71891 UI_RESTART_EVENT [junos@2636.1.1.1.2.164 username="root" process-name="Network security daemon" description=" immediately"] User 'root' restarting daemon 'Network security daemon' immediately init - - - network-security (PID 72907) terminated by signal number 9! init - - - network-security (PID 72929) started

FMT_MOF.1/Services

Starting and stopping of services.

None

FMT_MTD.1/ CryptoKeys

Management of cryptographic keys.

None

SSH key

ssh-keygen 2706 - - Generated SSH key file /root/.ssh/id_rsa.pub with fingerprint SHA256:EQotXjlahhlVplg + YBLbFR3TdmJMpm6D1FSjRo6lVE4

ssh-keygen 2714 - - Generated SSH key file /root/.ssh/id_ecdsa.pub with fingerprint SHA256:ubQWoesME9bpOT1e/ sYv871hwWUzSG8hNqyMUe1cNc0

IPSEC keys

pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="384" argument2="ECDSA" argument3="cert1"] A 384 bit ECDSA key-Pair has been generated for cert1

pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="4096" argument2="RSA" argument3="cert2"] A 4096 bit RSA key-Pair has been generated for cert2

FFW_RUL_EXT.1

Application of rules configured with the ‘log’ operation

Source and destination addresses.

Source and destination ports. Transport Layer Protocol TOE Interface

RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.164 source-address="1.1. 1.2" source-port="10001" destination-address="2.2.2.2" destination-port="21" connection-tag="0" service-name="junos-ftp" nat-source-address="1.1.1.2" nat-source-port="10001" nat-de stination-address="2.2.2.2" nat-destination-port="21" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protoco l-id="6" policy-name="p1" source-zone-name="ZO_A" destination-zone-name="ZO_B" session-id-32="5" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" application="UNKN OWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp= "N/A" dst-vrf-grp="N/A"] session created 1.1.1.2/10001->2.2.2.2/21 0x0 junos-ftp 1.1.1.2/10001->2.2.2.2/21 0x0 N/A N/A N/A N/A 6 p1 ZO_A ZO_B 5 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A

Indication of packets dropped due to too much network traffic

TOE interface that is unable to process packets.

Identifier of rule causing packet drop

RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.164 source-address="1.1.1. 2" source-port="10001" destination-address="2.2.2.2" destination-port="21" connection-tag="0" service-name="junos-ftp" protocol-id="6" icmp-type="0" policy-name="p2" source-zone-na me="ZO_A" destination-zone-name="ZO_B" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" reason="D enied by policy" session-id-32="3" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp=" N/A"] session denied 1.1.1.2/10001->2.2.2.2/21 0x0 junos-ftp 6(0) p2 ZO_A ZO_B UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 No Denied by policy 3 N/A N/A -1 N/A N/A N/A

FFW_RUL_EXT.2

None

None

FCS_IPSEC_EXT.1

Session Establishment with peer

Entire packet contents of packets transmitted/received during session establishment

kmd 6619 KMD_VPN_UP_ALARM_USER [junos@2636.1.1.1.2.164 vpn-name="vpn1" remote-address="5.5.5.1" local-address="11.11.11.1" ga teway-name="gw1" group-name="vpn1" tunnel-id="131073" interface-name="st0.0" internal-ip="Not-Available" name="11.11.11.1" peer-name="5.5.5.1" client-name="Not-Applicable" vrrp-gro up-id="0" traffic-selector-name="" traffic-selector-cfg-local-id= "ipv4_subnet(any:0,[0..7\]=0.0.0.0/0)" traffic-selector-cfg-remote-id= "ipv4_subnet(any:0,[0..7\]=0.0.0.0/0)" argume nt1="Static"] VPN vpn1 from 5.5.5.1 is up. Local-ip: 11.11.11.1, gateway name: gw1, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Loca l IKE-ID: 11.11.11.1, Remote IKE-ID: 5.5.5.1, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-se lector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static

FIA_X509_EXT.1

Session establishment with CA

Entire packet contents of packets transmitted/received during session establishment

kmd 7200 KMD_VPN_UP_ALARM_USER [junos@2636.1.1.1.2.164 vpn-name=""vpn1"" remote-address=""5.5.5.1"" local-address=""11.11.11.1"" ga teway-name=""gw1"" group-name=""vpn1"" tunnel-id=""131073"" interface-name=""st0.0"" internal-ip=""Not-Available"" name=""11.11.11.1"" peer-name=""5.5.5.1"" client-name=""Not-Applicable"" vrrp-group-id=""0"" traffic-selector-name= """" traffic-selector-cfg-local-id=""ipv4_subnet(any:0, [0..7\]=0.0.0.0/0)"" traffic-selector-cfg-remote-id= ""ipv4_subnet(any: 0,[0..7\]=0.0.0.0/0)"" argument1= ""Static""] VPN vpn1 from 5.5.5.1 is up. Local-ip: 11.11.11.1, gateway name: gw1, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 11.11.11.1, Remote IKE-ID: 5.5.5.1, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static

FPF_RUL_EXT.1

Application of rules configured with the ‘log’ operation

Source and destination addresses.

Source and destination ports. Transport Layer Protocol TOE Interface

RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.164 source-address="1.1. 1.2" source-port="10001" destination-address="2.2.2.2" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="1.1.1.2" nat-source-port="10001" na t-destination-address="2.2.2.2" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" pro tocol-id="17" policy-name="p1" source-zone-name="A" destination-zone-name="B" session-id-32="1" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" application="UNKNO WN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp=" N/A" dst-vrf-grp="N/A"] session created 1.1.1.2/10001->2.2.2.2/53 0x0 junos-dns-udp 1.1.1.2/10001->2.2.2.2/53 0x0 N/A N/A N/A N/A 17 p1 A B 1 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UN KNOWN N/A N/A -1 N/A N/A N/A

Indication of packets dropped due to too much network traffic

TOE interface that is unable to process packets

"""PERF_MON - RTPERF_CPU_UTIL_MAX [junos@2636.1.1.1.2.164 fpc-slot=""""0"""" pic-slot=""""0""""] FPC 0 PIC 0 CPU Utilization greater than 99, expect packet loss"" ""PERF_MON - RTPERF_CPU_THRESHOLD_EXCEEDED [junos@2636.1.1.1.2.164 fpc-slot=""""0"""" pic-slot=""""0"""" current-value=""""93""""] FPC 0 PIC 0 CPU utilization exceeds threshold, current value = 93"" ""RT_FLOW - FLOW_RESOURCE_CHANGE [junos@2636.1.1.1.2.164 resource-name=""""session table"""" reason=""""is full""""] Flow resource session table is full"""

In addition, Juniper Networks recommends:

  • To capture all changes to the configuration.

  • To store logging information remotely.

Related Documentation