Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Audit Log Options in the Evaluated Configuration

The syslog functionality on NFX starts up during the system bootup.

The syslog service cannot be started or stopped by user configuration.

The local logs are automatically overwritten according to configurable limits on storage volume. The default maximum size is 1 MB, which can be modified by the user, using the “size” argument for the “set system syslog file <filename> archive” CLI command.

The Junos OS defines an active log file and a number of “archive” files (10 by default, but configurable from 1 to 1000). When the active log file reaches its maximum size, the logging utility closes the file, compresses it, and names the compressed archive file ‘logfile.0.gz’. The logging utility then opens and writes to a new active log file. When the new active log file reaches the configured maximum size, ‘logfile.0.gz’ is renamed ‘logfile.1.gz’, and the active log file is closed, compressed, and renamed ‘logfile.0.gz’. When the maximum number of archive files is reached and when the size of the active file reaches the configured maximum size, the contents of the oldest archived file are deleted so the current active file can be archived.

The following section describes how to configure audit log options in the evaluated configuration.

Configuring Audit Log Options for NFX Device

Only administrators are authorized to delete locally stored audit data. To configure audit log options for NFX Device:

  1. Specify the number of files to be archived in the system logging facility.
  2. Specify the file in which to log data.
  3. Specify the size of files to be archived.
  4. Log system messages in a structured format.

    If 'structured-data' option is configured, the year field is included in the audit log messages.

  5. Time format settings.

    Use the millisecond and/or year options to include them as part of the timestamps.

    Note:

    The year field is to be mandatorily configured for CC compliance.
  6. (Optional) Log messages that matching a set of values or a pattern.
    Note:

    A 1GB syslog file takes approximately 0.25GB of storage when archived. Syslog files can acquire complete storage allocated to the /var filesystem, which is 3.9 GB for NFX platforms. However, when this filesystem reaches 92% storage capacity, an event is raised to the administrator but the event process (being a privileged process) still can continue using the reserved storage blocks. This allows the syslog to continue storing events while the administrator frees the storage. If the administrator does not free the storage in time and the /var filesystem storage becomes exhausted, a final entry is recorded in the log reporting “No space left on device” and logging is terminated.
  7. View the local audit data.
  8. Clear the local audit data.

Related Documentation