Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Event Logging for Junos OS in FIPS Mode

 

The system log (syslog) files record system events in Junos OS.

Best Practice

Because of the sensitive nature of information used to configure and operate a system running Junos OS in FIPS mode, we recommend that you as Crypto Officer log certain events and examine the logs frequently.

For Junos OS in FIPS mode, we recommend that you as Crypto Officer configure the system log to record the following events. You can log more types of information, but these events are particularly important to the Junos OS in FIPS mode environment.

  • All authorization events—stored in /var/log/authlog and /var/log/auditlog

  • All interactive commands and configuration change events, including secrets—stored in /var/log/auditlog

  • All events of moderate severity—stored in /var/log/messages

In Junos OS in FIPS mode, the actual secrets themselves are not logged. When Junos OS encounters secret information that it would ordinarily log, it replaces the secrets with the token /* SECRET-DATA */. For example, a secret string entered as part of the command line is not logged, but is replaced with the following token:

The following system log configuration is recommended for Junos OS in FIPS mode:

You can configure the system to log events to a local file or to a remote server:

Configuring Event Logging to a Local File

To configure the system to store the recommended information for Junos OS in FIPS mode, you create log files on the router called authlog, auditlog, and messages.

(You can also store event logs on a secure, remote server. For details, see Configuring Event Logging to a Remote Server.)

To configure the system to log the recommended events to local files on the router in the /var/log/ directory:

  1. Log in to the router with your Crypto Officer password if you have not already done so, and enter configuration mode:
  2. Configure a file named authlog to store informational messages from the authorization system in /var/log/authlog on the router:
  3. Configure a file named auditlog to store informational messages from the authorization system, all configuration changes, and all commands entered through the CLI—including secrets—in /var/log/auditlog on the router:
  4. Configure a file named messages to store notices of all events of moderate severity in /var/log/messages on the router:
  5. If you are finished configuring the router, commit the configuration and exit:

To view the contents of the log files, enter the following operational mode commands:

Configuring Event Logging to a Remote Server

In addition to storing log files in the local /var/log/ directory on the router (see Configuring Event Logging to a Local File), you can export the information in system log files to a secure, remote server.

Best Practice

We recommend that you store system log files remotely.

To configure the system to log the recommended events to a remote host:

  1. Log in to the router with your Crypto Officer password if you have not already done so, and enter configuration mode:
  2. Configure the system to import informational messages from the authorization system and store them on a remote host—for example, a host named Secure-Audit-Server:
  3. Configure the system to import all configuration changes and all commands entered through the CLI—including secrets—and store them on the remote host Secure-Audit-Server:
  4. Configure the system to import all notices of events of moderate severity and store them on the remote host Secure-Audit-Server:
  5. If you are finished configuring the router, commit the configuration and exit:

Related Documentation