Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Sample Syslog Server Configuration on a Linux System

A secure Junos OS environment requires auditing of events and storing them in a local audit file. The recorded events are simultaneously sent to an external syslog server. A syslog server receives the syslog messages streamed from the device. The syslog server must have an SSH client with NETCONF support configured to receive the streamed syslog messages.

Use the configuration details and establish a session between the target of evaluation (TOE) and the audit server. Examine the traffic that passes between the audit server and the TOE during several activities, and the generated audit data to be transferred to the audit server.

Examine the TOE Summary Specification (TSS) to ensure that it specifies the means by which the audit data is transferred to the external audit server and how the trusted channel is provided.

The NDcPP logs capture the following events:

  • Committed changes

  • System startup

  • Login and logout of users

  • Failure to establish an SSH session

  • Establishment or termination of an SSH session

  • Changes to the system time

  • Initiation of a system update

To configure event logging to a remote server when the SSH connection to the ToE is initiated from the remote system log server.

  1. Generate an RSA public key on the remote syslog server.

    You will be prompted to enter the desired pass phrase. The storage locations for the syslog-monitor key pair is displayed.

  2. On the TOE, create a class named monitor that has permission to trace events.

  3. Create a user named syslog-mon with the class monitor, and with authentication that uses the syslog-monitor key pair from the key pair file located on the remote syslog server.

  4. Set up NETCONF with SSH.

  5. Configure syslog to log all the messages at /var/log/messages..

  6. On the remote system log server, start up the SSH agent ssh-agent. The start up is required to simplify the handling of the syslog-monitor key.

  7. On the remote syslog server, add the syslog-monitor key pair to the ssh-agent.

    You will be prompted to enter the desired passphrase. Enter the same passphrase used in Step 1.

  8. After logging in to the external_syslog_server session, establish a tunnel to the device and start NETCONF.

  9. After NETCONF is established, configure a system log events message stream. This RPC will cause the NETCONF service to start transmitting messages over the SSH connection that is established.

    <rpc><get-syslog-events><stream>messages</stream></get-syslog-events></rpc>

  10. The examples for syslog messages are listed below. Monitor the event log generated for admin actions on TOE are received on syslog server. Examine the traffic that passes between the audit server and the TOE, observing that these data are not viewed during this transfer, and that they are successfully received by the audit server. Match the logs between local event logging and remote event logged in syslog server and record the particular software (name, version) used on the audit server during testing.

The following output shows test log results for syslog-server.

Net configuration channel

The following output shows event logs generated on the TOE that are received on the syslog server.

Net configuration channel

The following output shows that the local syslogs and remote syslogs received were similar.