Example: Generate a Custom System Log Message
Junos OS commit scripts can generate custom system log messages during a commit operation to alert you when the configuration does not comply with custom configuration rules. The commit process is not affected by generating system log messages. This example creates a commit script that generates a custom system log message when a specific statement is not included in the device configuration.
Requirements
Junos OS Release 16.1R3 or later when using a Python script.
Overview and Commit Script
Using a commit script, write a custom system log message that
appears when the read-write
statement is not included at
the [edit snmp community community-name authorization]
hierarchy level.
The script is shown in XSLT, SLAX, and Python.
XSLT Syntax
<?xml version="1.0" standalone="yes"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:junos="http://xml.juniper.net/junos/*/junos" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm" xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0"> <xsl:import href="../import/junos.xsl"/> <xsl:template match="configuration"> <xsl:for-each select="snmp/community"> <xsl:if test="not(authorization) or (authorization != 'read-write')"> <xsl:variable name="community"> <xsl:call-template name="jcs:edit-path"/> </xsl:variable> <xsl:variable name="message" select="concat('SNMP community does not have read-write access: ', $community)"/> <syslog> <message> <xsl:value-of select="$message"/> </message> </syslog> </xsl:if> </xsl:for-each> </xsl:template> </xsl:stylesheet>
SLAX Syntax
version 1.0; ns junos = "http://xml.juniper.net/junos/*/junos"; ns xnm = "http://xml.juniper.net/xnm/1.1/xnm"; ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0"; import "../import/junos.xsl"; match configuration { for-each (snmp/community) { if ( not(authorization) or (authorization != "read-write")) { var $community = call jcs:edit-path(); var $message = "SNMP community does not have read-write access: " _ $community; <syslog> { <message> $message; } } } }
Python Syntax
from junos import Junos_Configuration import jcs def main(): root = Junos_Configuration for element in root.xpath("./snmp/community"): if element.find("authorization") is None or \ element.find("authorization").text != 'read-write': jcs.syslog("172", "SNMP community does not have read-write access: " + element.find('name').text) if __name__ == '__main__': main()
Configuration
Procedure
Step-by-Step Procedure
Download, enable, and test the script. To test that a
commit script generates a system log message correctly, make sure
that the candidate configuration contains the condition that elicits
the system log message. For this example, ensure that the read-write
statement is not included at the [edit snmp community community-name authorization]
hierarchy level.
To test the example in this topic:
Copy the script into a text file, name the file read-write.xsl, read-write.slax, or read-write.py as appropriate, and copy it to the /var/db/scripts/commit/ directory on the device.
Note:Unsigned Python scripts must be owned by either root or a user in the Junos OS
super-user
login class, and only the file owner can have write permission for the file.In configuration mode, configure the
file
statement and the script filename at the[edit system scripts commit]
hierarchy level.[edit] user@host# set system scripts commit file read-write.xsl
If the script is written in Python, enable the execution of unsigned Python scripts.
[edit] user@host# set system scripts language python
Note:Configure the
language python3
statement to use Python 3 to execute Python scripts, or configure thelanguage python
statement to use Python 2.7 to execute Python scripts. For more information, see language.(Optional) To test the condition, if the
read-write
statement is included at the[edit snmp community community-name authorization]
hierarchy level for every community, temporarily delete the authorization for an existing SNMP community.[edit] user@host# delete snmp community community-name authorization read-write
Issue the following command to verify that system logging is configured to write to a file (a commonly used file name is messages):
[edit] user@host# show system syslog
For information about system log configuration, see the System Log Explorer.
Issue the
commit
command to commit the configuration.user@host# commit
Verification
Verifying Script Execution
Purpose
Verify the system log message generated by the commit script.
System log messages are generated during a commit operation
for Python, SLAX, and XSLT scripts, but they are only generated during
a commit check operation for Python scripts. This means you cannot
use the commit check | display xml
or commit check
| display detail
configuration mode commands to verify the output
of system log messages for SLAX and XSLT scripts.
Action
When the commit operation completes, inspect the system
log file. The default directory for log files is /var/log/. View the log file by issuing the show log filename
operational mode command. For example, if messages are logged
to the messages file, issue the following
command:
user@host> show log messages | match cscript
System log entries generated by commit scripts have the following format:
timestamp host-name cscript: message
Since the read-write
statement was not included
at the [edit snmp community community-name authorization]
hierarchy level, the commit script should generate
the “SNMP community does not have read-write access” message
in the system log file.
Jun 3 14:34:37 host-name cscript: SNMP community does not have read-write access: [edit snmp community community-name]