Event Log in FIPS Mode
Learn to analyze the event logs in FIPS mode.
Event Log in FIPS Mode Overview
An event log refers to a detailed record of security-related events that occur within an information system. These logs typically capture a variety of information, such as system messages, security events, application events, and user activities. Event logs are critical for monitoring, diagnosing, and troubleshooting issues, as well as for ensuring security and compliance.
The evaluated configuration requires the auditing of configuration changes through the system log. In addition, Junos OS can:
-
Send automated responses to audit events (syslog entry creation).
-
Allow authorized managers to examine audit logs.
-
Send audit files to external servers.
-
Allow authorized managers to return the system to a known state.
The log for the evaluated configuration must capture the events. Table 1 shows the samples for syslog auditing for NDcPPv2.2e:
|
Requirement |
Auditable Events |
Additional Audit Record Contents |
How Event Is Generated |
|---|---|---|---|
|
FAU_GEN.1 |
None |
None |
|
|
FAU_GEN.2 |
None |
None |
|
|
FAU_STG_EXT.1 |
None |
None |
|
|
FAU_STG.1 |
None |
None |
|
|
FCS_CKM.1 |
None |
None |
|
|
FCS_CKM.2 |
None |
None |
|
|
FCS_CKM.4 |
None |
None |
|
|
FCS_COP.1/ DataEncryption |
None |
None |
|
|
FCS_COP.1/SigGen |
None |
None |
|
|
FCS_COP.1/Hash |
None |
None |
|
|
FCS_COP.1/KeyedHash |
None |
None |
|
|
FCS_RBG_EXT.1 |
None |
None |
|
|
FDP_RIP.2 |
None |
None |
|
|
FIA_AFL.1 |
Unsuccessful login attempts limit is met or exceeded. |
Origin of the attempt (for example, IP address) |
sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user 'security-administrator' Login lockout configuration details: [edit] root@host:fips# run show system login lockout User Lockout start Lockout end security-administrator 2023-01-10 15:03:26 IST 2023-01-10 15:04:26 IST Log for the login lockout configuration: Jan 10 15:03:26 host sshd[63687]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'security-administrator' has been locked out from logins Status of the session closed after the lockout period: ssh security-administrator@host Password: Connection closed by 10.209.21.170 port 22 Log for the closed session after lockout period: Jan 10 15:04:10 host sshd[63694]: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user security-administrator is locked. Establishes the session through the console as the root user during lockout period: login: security-administrator Password: Last login: Tue Jan 10 15:01:43 on ttyu0 --- JUNOS 22.4R2.8 Kernel 64-bit JNPR-12.1-20230321.be5f9c0_buil security-administrator@bm-a:fips> [edit] root@host:fips# run show system users 3:04PM up 4 days, 3:59, 2 users, load averages: 0.28, 0.21, 0.22 USER TTY FROM LOGIN@ IDLE WHAT security-a u0 - 3:03PM - -cli (cli) Log for the session established through the console as the root user during lockout period: Jan 10 15:03:52 host login[63625]: LOGIN_INFORMATION: User security-administrator logged in from host [unknown] on device ttyu0 |
|
FIA_PMG_EXT.1 |
None |
None |
|
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Provided user identity, origin of the attempt (for example, IP address) |
Successful Remote Login mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user' mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli' Unsuccessful Remote Login sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' Successful Local Login login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0 login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0 |
|
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (for example, IP address) |
Successful Remote Login mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user' mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli' Unsuccessful Remote Login sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' Successful Local Login login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0 login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0 |
|
FIA_UAU.7 |
None |
None |
|
|
FMT_MOF.1/ ManualUpdate |
Any attempt to initiate a manual update. |
None |
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate "] User 'sec-officer', command 'request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate' |
|
FMT_MTD.1/CoreData |
All management activities of TSF data |
None |
Refer to the audit events listed in this table. |
|
FMT_SMF.1/IPS |
None |
None |
None |
|
FMT_SMF.1/ND |
None |
None |
None |
|
FMT_SMR.2 |
None |
None |
|
|
FPT_SKP_EXT.1 |
None |
None |
|
|
FPT_APW_EXT.1 |
None |
None |
|
|
FPT_TST_EXT.1 |
None |
None |
Enter |
|
Note:
If there is a self-test error, you can recover the device via USB recovery. If USB recovery fails, you can contact JTAC for support (https://support.juniper.net/support/). |
|||
|
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate "] User 'sec-officer', command request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate ' |
|
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed through an automated process. |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address). |
mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="root" command="set date 202005201815.00 "] User 'root', command 'set date 202005201815.00 ' mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message="signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled nsd 2641 NSD_SYS_TIME_CHANGE - System time has changed |
|
Note:
We are not claiming NTP as a part of FPT_STM_EXT.1 SFR. However, in our configuration guide, we activate or deactivate NTP services to validate MACsec tolerance and MACsec keychain. |
|||
|
FTA_SSL_EXT.1 (if terminate the session is selected) |
The termination of a local interactive session by the session locking mechanism |
None |
cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated |
|
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism |
None |
cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated |
|
FTA_SSL.4 |
The termination of an interactive session |
None |
mgd 71668 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.164 username="root"] User 'root' logout |
|
FTA_TAB.1 |
None |
None |
|
|
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. Their offer: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc |
|
FTP_ITC.1 |
Initiation of the trusted channel.Termination of the trusted channel. Failure of the trusted channel functions |
Identification of the initiator and target of failed trusted channels establishment attempt |
Initiation of the trusted path sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2 Termination of the trusted path sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' |
|
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
Initiation of the trusted path sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2 Termination of the trusted path sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' |
|
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. Their offer: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc |
|
FIA_X509_EXT.1/Rev |
Unsuccessful attempt to validate a certificate |
Reason for failure |
verify-sig 72830 - - cannot validate ecerts.pem: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProduction TestEc_2017_NO_DEFECTS/emailAddress =ca@juniper.net |
|
FIA_X509_EXT.2 |
None |
None |
|
|
FIA_X509_EXT.3 |
None |
None |
|
|
FMT_MOF.1/Functions |
Modification of the transmission behavior of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full. |
None |
mgd 71891 UI_RESTART_EVENT [junos@2636.1.1.1.2.164 username="root" process-name="Network security daemon" description=" immediately"] User 'root' restarting daemon 'Network security daemon' immediately init - - - network-security (PID 72907) terminated by signal number 9! init - - - network-security (PID 72929) started |
|
FMT_MOF.1/Services |
Starting and stopping of services |
None |
|
|
FMT_MTD.1/ CryptoKeys |
Management of cryptographic keys. |
None |
SSH key ssh-keygen 2706 - - Generated SSH key file /root/.ssh/id_rsa.pub with fingerprint SHA256:EQotXjlahhlVplg + YBLbFR3TdmJMpm6D1FSjRo6lVE4 ssh-keygen 2714 - - Generated SSH key file /root/.ssh/id_ecdsa.pub with fingerprint SHA256:ubQWoesME9bpOT1e/ sYv871hwWUzSG8hNqyMUe1cNc0 IPSEC keys pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="384" argument2="ECDSA" argument3="cert1"] A 384 bit ECDSA key-Pair has been generated for cert1 pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="4096" argument2="RSA" argument3="cert2"] A 4096 bit RSA key-Pair has been generated for cert2 |
|
FCS_IPSEC_EXT.1 |
Session Establishment with peer |
Entire packet contents of packets transmitted/received during session establishment |
user@host:fips# run show log iked | no-more | grep vpn Jun 14 10:40:49.291712 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ipsec-sa selection successful for spi (0x8a45e874) local-ip (20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN) user@host:fips# run show log iked | no-more | grep success Jun 14 10:40:49.278061 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-generate successful response received for ipc-index=45109,local-ip=none,remote-ip=none Jun 14 10:40:49.290742 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] atec-validate-migrate for ed (0x2c09028) success in remote id validation Jun 14 10:40:49.291392 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSi: traffic-selector-match for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255) R:ipv4(10.1.1.0-10.1.1.255) N:ipv4(10.1.1.0-10.1.1.255) Jun 14 10:40:49.291656 [EXT] [TUNL] [20.1.1.1 <-> 20.1.1.2] ike_tunnel_anchor_node_tunnel_add: Anchor tunnel add for tunnel 500009: success total tunnel adds:9 Jun 14 10:40:49.291682 [DET] [TUNL] [20.1.1.1 <-> 20.1.1.2] tunnel-sadb-add success with local-spi (0x8a45e874) Jun 14 10:40:49.291712 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ipsec-sa selection successful for spi (0x8a45e874) local-ip (20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN) Jun 14 10:40:49.292404 [TER] [PEER] [20.1.1.1 <-> 20.1.1.2] IKE: Gateway N:IKE_GW L:20.1.1.1:500 R:20.1.1.2:500 Successful ike-id:20.1.1.2 U:N/A IKE:IKEv2 Role:R Jun 14 10:40:49.294256 [DET] [DIST] [20.1.1.1 <-> 20.1.1.2] ike_dist_ipsec_tunnel_info_add: IPsec distribution tunnel info add to db successful Tunnel Id:500009 Client Id:20 Instance:0 Jun 14 10:40:49.295072 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.20 Jun 14 10:40:49.295292 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.21 Jun 14 10:40:49.296004 [DET] [STER] [20.1.1.1 <-> 20.1.1.2] Successfully modified st0 next hop meta data for tunnel 500009 Jun 14 10:40:49.297336 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.20 Jun 14 10:42:24.328902 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-generate successful response received for ipc-index=45111,local-ip=none,remote-ip=none Jun 14 10:42:24.332381 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-compute successful response received for ipc-index=0 Jun 14 10:42:24.333295 [DET] [PUBL] [20.1.1.1 <-> 20.1.1.2] publish-ike-sa successful for ike-sa-index 11282 ike-sa 0x21dec24 Jun 14 10:42:29.316880 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSi: traffic-selector-match for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255) R:ipv4(10.1.1.0-10.1.1.255) N:ipv4(10.1.1.0-10.1.1.255) Jun 14 10:42:29.316889 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSr: traffic-selector-match for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255) R:ipv4(30.1.1.0-30.1.1.255) N:ipv4(30.1.1.0-30.1.1.255) Jun 14 10:42:29.317147 [DET] [TUNL] [20.1.1.1 <-> 20.1.1.2] tunnel-sadb-add success with local-spi (0x80eeab18) Jun 14 10:42:29.317178 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ipsec-sa selection successful for spi (0x80eeab18) local-ip (20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN) Jun 14 10:42:29.320369 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-generate successful response received for ipc-index=45113,local-ip=none,remote-ip=none Jun 14 10:42:29.323800 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-compute successful response received for ipc-index=0 Jun 14 10:42:29.325513 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.20 |
|
FIA_X509_EXT.1 |
Session establishment with CA |
Entire packet contents of packets transmitted/received during session establishment |
kmd 7200 KMD_VPN_UP_ALARM_USER [junos@2636.1.1.1.2.164 vpn-name=""vpn1"" remote-address=""5.5.5.1"" local-address=""11.11.11.1"" ga teway-name=""gw1"" group-name=""vpn1"" tunnel-id=""131073"" interface-name=""st0.0"" internal-ip=""Not-Available"" name=""11.11.11.1"" peer-name=""5.5.5.1"" client-name=""Not-Applicable"" vrrp-group-id=""0"" traffic-selector-name= """" traffic-selector-cfg-local-id=""ipv4_subnet(any:0, [0..7\]=0.0.0.0/0)"" traffic-selector-cfg-remote-id= ""ipv4_subnet(any: 0,[0..7\]=0.0.0.0/0)"" argument1= ""Static""] VPN vpn1 from 5.5.5.1 is up. Local-ip: 11.11.11.1, gateway name: gw1, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 11.11.11.1, Remote IKE-ID: 5.5.5.1, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static |
|
FPF_RUL_EXT.1 |
Application of rules configured with the ‘log’ operation |
Source and destination addresses. Source and destination ports. Transport Layer Protocol TOE Interface |
[edit] root@host:fips# run show firewall Filter: __default_bpdu_filter__ Filter: fw_filter1 Counters: Name Bytes Packets inc1 0 0 inc2 840 10 [edit] root@host:fips# [edit] root@host:fips# run show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 11:05:31 pfe R st0.1 ICMP 30.1.1.1 10.1.1.1 11:05:30 pfe R st0.1 ICMP 30.1.1.1 10.1.1.1 11:05:29 pfe R st0.1 ICMP 30.1.1.1 10.1.1.1 11:05:28 pfe R st0.1 ICMP 30.1.1.1 10.1.1.1 root@host:fips# run show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 11:19:59 pfe R st0.1 TCP 30.1.1.1 10.1.1.1 root@host:fips# run show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 13:00:18 pfe A ge-0/0/4.0 ICMP 30.1.1.5 10.1.1.1 13:00:17 pfe A ge-0/0/4.0 ICMP 30.1.1.5 10.1.1.1 13:00:16 pfe A ge-0/0/4.0 ICMP 30.1.1.5 10.1.1.1 13:00:15 pfe A ge-0/0/4.0 ICMP 30.1.1.5 10.1.1.1 root@host:fips# run show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 13:00:45 pfe A ge-0/0/4.0 TCP 30.1.1.5 10.1.1.1 |
|
Indication of packets dropped due to too much network traffic |
TOE interface that is unable to process packets |
RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.164 sourceaddress=" 1.1.1. 2" source-port="10001" destination-address="2.2.2.2" destinationport=" 21" connection-tag="0" servicename=" junos-ftp" protocol-id="6" icmptype=" 0" policy-name="p2" source-zone-na me="ZO_A" destination-zone-name="ZO_B" application="UNKNOWN" nestedapplication=" UNKNOWN" username="N/A" roles="N/A" packet-incominginterface=" ge-0/0/0.0" encrypted="No" reason="D enied by policy" sessionid- 32="3" application-category="N/A" application-sub-category="N/A" applicationrisk="- 1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp=" N/A"] session denied 1.1.1.2/10001->2.2.2.2/21 0x0 junos-ftp 6(0) p2 ZO_A ZO_B UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 No Denied by policy 3 N/A N/A -1 N/A N/A N/A |
|
In addition, we recommend:
-
To capture all changes to the configuration.
-
To store log information remotely.
For more information about log details, see Specifying Log File Size, Number, and Archiving Properties
Interpret Event Messages
The following output shows a sample event message.
Feb 27 02:33:04 bm-a mgd[6520]: UI_LOGIN_EVENT: User 'security-officer' login, class 'j-super-user' [6520], ssh-connection '', client-mode 'cli' Feb 27 02:33:49 bm-a mgd[6520]: UI_DBASE_LOGIN_EVENT: User 'security-officer' entering configuration mode Feb 27 02:38:29 bm-a mgd[6520]: UI_CMDLINE_READ_LINE: User 'security-officer', command 'run show log Audit_log | grep LOGIN
Table 2 describes the fields for an event message. If the system logging utility cannot determine the value in a particular field, a hyphen (-) appears instead.
| Field | Description | Examples |
|---|---|---|
|
|
Time when the message was generated, in one of two representations:
|
Feb 27 02:33:04 is the timestamp expressed as local time in the United States. 2012-02-27T09:17:15.719Z is 2:33 AM UTC on 27 Feb 2012. |
|
|
Name of the host that originally generated the message. |
router1 |
|
|
Name of the Junos OS processes that generated the message. |
mgd |
|
|
UNIX process ID (PID) of the Junos OS process that generated the message. |
4153 |
|
|
The Junos OS system log message tag, which uniquely identifies the message. |
UI_DBASE_LOGOUT_EVENT |
|
|
Username of the user initiating the event |
“admin” |
|
|
English-language description of the event |
set: [system radius-server 1.2.3.4 secret] |
Log Changes to Secret Data
The following are examples of audit logs of events that change the secret data. Whenever a change in the configuration example, the syslog event should capture the following logs:
Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'admin' set: [system radius-server 1.2.3.4 secret] Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'admin' set: [system login user admin authentication encrypted-password] Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'admin' set: [system login user admin2 authentication encrypted-password]
Whenever a configuration update happens, the syslog should capture these logs:
Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'admin' replace: [system radius-server 1.2.3.4 secret] Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'admin' replace: [system login user admin authentication encrypted-password] Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'admin' replace: [system login user admin authentication encrypted-password]
Login and Logout Events Using SSH
System log messages are generated whenever a user successfully or unsuccessfully attempts SSH access. The system also records the logout events. For example, the following logs are the result of two failed authentication attempts, then a successful one, and finally a logout:
Dec 20 23:17:35 bilbo sshd[16645]: Failed password for op from 172.17.58.45 port 1673 ssh2 Dec 20 23:17:42 bilbo sshd[16645]: Failed password for op from 172.17.58.45 port 1673 ssh2 Dec 20 23:17:53 bilbo sshd[16645]: Accepted password for op from 172.17.58.45 port 1673 ssh2 Dec 20 23:17:53 bilbo mgd[16648]: UI_AUTH_EVENT: Authenticated user 'op' at permission level 'j-operator' Dec 20 23:17:53 bilbo mgd[16648]: UI_LOGIN_EVENT: User 'op' login, class 'j-operator' [16648] Dec 20 23:17:56 bilbo mgd[16648]: UI_CMDLINE_READ_LINE: User 'op', command 'quit ' Dec 20 23:17:56 bilbo mgd[16648]: UI_LOGOUT_EVENT: User 'op' logout
Logging of Audit Startup
The audit information logged includes startups of Junos OS. These logs identify the startup events of the audit system, which you cannot independently disable or enable. For example, when the Junos OS is restarts, the audit log contains the following information:
Dec 20 23:17:35 bilbo syslogd: exiting on signal 14 Dec 20 23:17:35 bilbo syslogd: restart Dec 20 23:17:35 bilbo syslogd /kernel: Dec 20 23:17:35 init: syslogd (PID 19128) exited with status=1 Dec 20 23:17:42 bilbo /kernel: Dec 20 23:17:53 init: syslogd (PID 19200) started