Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Syslog Server on a Linux System for FIPS Mode

A secure Junos OS environment requires auditing of events and storing the events in a local audit file. The device simultaneously sends the recorded events to an external syslog server. The syslog server must have an SSH client with Network Configuration Protocol (NETCONF) support to receive the streamed syslog messages.

Use the below configuration details and establish a session between the target of evaluation (TOE) and the audit server. Track different device actions to monitor the traffic that passes between the audit server and the device, and transfer the generated audit data to the audit server..

Ensure that the TOE summary specification (TSS) defines the method of transferring the audit data to the external audit server and the provision of the trusted channel.

The audit log required for Network Device Collaborative Protection Profile (NDcPP) compliance captures the following events:

  • Committed changes

  • System startup

  • Login and logout of users

  • Failure to establish an SSH session

  • Establishment or termination of an SSH session

  • Changes to the system time

  • Initiation of a system update

Configure event logging for a remote syslog server when the server initiates an SSH connection to the ToE.

  1. Generate an RSA public key on the remote syslog server.

    The system prompts you to enter the desired passphrase and displays the storage locations for the syslog-monitor keypair.

  2. On your device, create a class named monitor that has permission to trace events.

  3. Create a user named syslog-mon with the class monitor, and with authentication credentials that uses the syslog-monitor keypair from the keypair file located on the remote syslog server.

  4. Set up NETCONF with SSH

  5. Configure syslog to log all the messages at /var/log/messages..

  6. On the remote syslog server, start the SSH agent ssh-agent. This step is required to to manage the syslog-monitor key.

  7. On the remote syslog server, add the syslog-monitor keypair to the ssh-agent.

    You will be prompted to enter the desired passphrase. Enter the same passphrase that you entered in Step 1.

  8. After logging in to the external_syslog_server session, establish a tunnel to the device and start a NETCONF session.

  9. After establishing a NETCONF session, configure a system log events message stream. This RPC will cause the NETCONF service to start transmitting messages over the established SSH connection.

    <rpc><get-syslog-events><stream>messages</stream></get-syslog-events></rpc>

  10. Monitor the event log received on the syslog server that the device generated for its admin actions. You can find examples of syslog messages below. Examine the traffic passing between the syslog server and the device to:

    • Ensure no one views the data while it passes between the audit server and the device.

    • Confirm the audit server successfully receives the data.

    Match the local event logs with the remote event logs on the syslog server. Record the details of the software (name and version) used on the syslog server during testing.

The following example shows the test log results for syslog server.

The following example shows test log results for net configuration channel

The following example shows the device-generated event logs that the syslog server receives.

The following example shows test log results for net configuration channel

The following output shows that the local and remote syslogs are similar.