Example: Generating a Custom System Log Message
Junos OS commit scripts can generate custom system log messages during a commit operation to alert you when the configuration does not comply with custom configuration rules. The commit process is not affected by generating system log messages. This example creates a commit script that generates a custom system log message when a specific statement is not included in the device configuration.
Requirements
Junos OS Release 16.1R3 or later when using a Python script.
Overview and Commit Script
Using a commit script, write a custom system log message that appears when the read-write statement is not included at the [edit snmp community community-name authorization] hierarchy level.
The script is shown in XSLT, SLAX, and Python.
XSLT Syntax
<?xml version="1.0" standalone="yes"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:junos="http://xml.juniper.net/junos/*/junos" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm" xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0"> <xsl:import href="../import/junos.xsl"/>
<xsl:template match="configuration"> <xsl:for-each select="snmp/community"> <xsl:if test="not(authorization) or (authorization != 'read-write')"> <xsl:variable name="community"> <xsl:call-template name="jcs:edit-path"/> </xsl:variable> <xsl:variable name="message" select="concat('SNMP community does not have read-write access: ', $community)"/> <syslog> <message> <xsl:value-of select="$message"/> </message> </syslog> </xsl:if> </xsl:for-each> </xsl:template> </xsl:stylesheet>
SLAX Syntax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match configuration {
for-each (snmp/community) {
if ( not(authorization) or (authorization != "read-write")) {
var $community = call jcs:edit-path();
var $message = "SNMP community does not have read-write access: " _ $community;
<syslog> {
<message> $message;
}
}
}
}
Python Syntax
from junos import Junos_Configuration
import jcs
def main():
root = Junos_Configuration
for element in root.xpath("./snmp/community"):
if element.find("authorization") is None or \
element.find("authorization").text != 'read-write':
jcs.syslog("172", "SNMP community does not have read-write access: "
+ element.find('name').text)
if __name__ == '__main__':
main()
Configuration
Step-by-Step Procedure
Download, enable, and test the script. To test that a commit script generates a system log message correctly, make sure that the candidate configuration contains the condition that elicits the system log message. For this example, ensure that the read-write statement is not included at the [edit snmp community community-name authorization] hierarchy level.
To test the example in this topic:
- Copy the script into a text file, name the file
read-write.xsl,read-write.slax, orread-write.pyas appropriate, and copy it to the/var/db/scripts/commit/directory on the device.Note Unsigned Python scripts must be owned by either root or a user in the Junos OS super-user login class, and only the file owner can have write permission for the file.
- In configuration mode, configure the file statement
and the script filename at the [edit system scripts commit] hierarchy level.[edit]user@host# set system scripts commit file read-write.xsl
- If the script is written in Python, enable the execution
of unsigned Python scripts.[edit]user@host# set system scripts language python
Note The language python statement executes scripts using Python 2.7. To use Python 3 to execute Python scripts on devices running Junos OS Release 19.4R1 or later, configure the language python3 statement instead.
- (Optional) To test the condition, if the read-write statement is included at the [edit snmp community community-name authorization] hierarchy level for
every community, temporarily delete the authorization for an existing
SNMP community.[edit]user@host# delete snmp community community-name authorization read-write
- Issue the following command to verify that system logging
is configured to write to a file (a commonly used file name is
messages):[edit]user@host# show system syslogFor information about system log configuration, see the System Log Explorer.
- Issue the commit command to commit the configuration.user@host# commit
Verification
Verifying Script Execution
Purpose
Verify the system log message generated by the commit script.
System log messages are generated during a commit operation for Python, SLAX, and XSLT scripts, but they are only generated during a commit check operation for Python scripts. This means you cannot use the commit check | display xml or commit check | display detail configuration mode commands to verify the output of system log messages for SLAX and XSLT scripts.
Action
When the commit operation completes, inspect the system
log file. The default directory for log files is /var/log/. View the log file by issuing the show log filename operational mode command. For example, if messages are logged
to the messages file, issue the following
command:
System log entries generated by commit scripts have the following format:
timestamp host-name cscript: message
Since the read-write statement was not included at the [edit snmp community community-name authorization] hierarchy level, the commit script should generate the “SNMP community does not have read-write access” message in the system log file.
Jun 3 14:34:37 host-name cscript: SNMP community does not have read-write access: [edit snmp community community-name]