Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Syslog Server on a Linux System for FIPS Mode

A secure Junos OS environment requires auditing of events and storing the events in a local audit file. The device sends the recorded events are simultaneously to an external syslog server. The syslog server must have an SSH client with NETCONF support to receive the streamed syslog messages.

Use the configuration details and establish a session between your device and the audit server. During several activities, actively monitor the traffic passes between the audit server and the device and transfer the generated audit data to the audit server.

Ensure that the TOE Summary Specification (TSS) specifies the method of transferring the audit data to the external audit server and the provision of the trusted channel.

The NDcPP logs capture the following events:

  • Committed changes

  • System startup

  • Login and logout of users

  • Failure to establish an SSH session

  • Establishment or termination of an SSH session

  • Changes to the system time

  • Initiation of a system update

Configure Event Logging to a Remote Server

Configure event logging to a remote server when remote system log server initiates the SSH connection to your device.

  1. Generate an RSA public key on the remote syslog server.

    The system provides a prompt to enter the desired passphrase and displays the storage locations for the syslog-monitor keypair.

  2. On your device, create a class named monitor that has permission to trace events.

  3. Create a user named syslog-mon with the class monitor, and with authentication that uses the syslog-monitor keypair from the keypair file located on the remote syslog server.

  4. Set up NETCONF with SSH

  5. Configure syslog to log all the messages at /var/log/messages..

  6. On the remote system log server, start the SSH agent ssh-agent. The startup is required to simplify the handling of the syslog-monitor key.

  7. On the remote syslog server, add the syslog-monitor keypair to the ssh-agent.

    You will be prompted to enter the desired passphrase. Enter the same passphrase used in Step 1.

  8. After logging in to the external_syslog_server session, establish a tunnel to the device and start NETCONF.

  9. After establishing the NETCONF, configure a system log events message stream. This RPC will cause the NETCONF service to start transmitting messages over the established SSH connection.

    <rpc><get-syslog-events><stream>messages</stream></get-syslog-events></rpc>

  10. You can find the examples for syslog messages below. Monitor the event log received on the syslog server that the device generated for its admin actions. Examine the traffic passing between the audit server and the device to ensure:

    • No one views the data while passing between the audit server and the device.

    • Confirm the audit server successfully receives the data.

    Match the local event logs with the remote event logs on the syslog server. Record the software (name, version) used on the audit server during testing.

The following output shows test log results for syslog-server.

Net configuration channel

The following output shows the device generated event logs that received on the syslog server.

Net configuration channel

The following output shows that the local and remote syslogs are similar.