Turning On Logging
Problem
You want to monitor all systemwide operations by saving all log messages to a file on the router.
Solution
Use the following commands to save all log messages to a file called messages:
[edit] aviva@router1# set system syslog file messages any info
Discussion
The most common place to save system logging messages is on the router. If you do not configure logging, it is turned on by default and sends messages to the file messages (located in /var/log on M-series and T-series routers and in /cf/var/log on J-series routers). The messages logged are those from all facilities that have a severity notice and all authorization messages. If you were to configure the default settings, the configuration file would look like this:
[edit system syslog] file messages { any notice; authorization info; }
This recipe modifies the default so messages from all facilities (any) and all severities (info) are logged. Keep in mind that for a given severity level, the software logs all messages at that level and at all more serious levels, so when you specify the lowest severity level, info, you are in effect recording all system log messages except for debug messages. You could also specify any instead of info here.
When you want to review the system log messages, use the show log command. In all system log message files, the messages are listed in order, from oldest to newest. As the file gets large, you have to scroll through a lot of lines to get to the most recent messages. You can shorten the output by using some of the CLI command filters. For example, you can specify today's date and time to list only the most recent messages (match is simply the Unix grep utility):
aviva@router1> show log messages | match "Mar 9 11:5" Mar 9 11:54:31 router1 login: LOGIN_INFORMATION: User aviva logged in from host 172.17.28.19 on device ttyp1 Mar 9 11:54:34 router1 mgd[29108]: UI_DBASE_LOGIN_EVENT: User 'aviva' entering configuration mode Mar 9 11:56:13 router1 mgd[29108]: UI_DBASE_LOGOUT_EVENT: User 'aviva' exiting configuration mode Mar 9 11:57:52 router1 mgd[28332]: UI_DBASE_LOGOUT_EVENT: User 'aviva' exiting configuration mode
If you want to find out who has logged in to the router today, you can set up a chain of filters:
aviva@router1> show log messages | match LOGIN | match "Mar 16" Mar 16 11:00:53 router1 login: LOGIN_INVALID_LOCAL_USER: No entry in local password file for user pwd Mar 16 11:00:54 router1 login: LOGIN_PAM_AUTHENTICATION_ERROR: PAM auhentication error for user pwd Mar 16 11:00:54 router1 login: LOGIN_FAILED: Login failed for user pwd from host Mar 16 11:00:55 router1 login: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyd0 Mar 16 21:57:59 router1 login: LOGIN_INFORMATION: User aviva logged in from host 172.17.28.108 on device ttyp0 Mar 16 21:58:04 router1 mgd[4102]: UI_DBASE_LOGIN_EVENT: User 'aviva' entering configuration mode
You can create multiple system logging files to track messages from different sources and of different severities. Instead of sifting through the messages file to find out what users and processes have been logging in to the router, you can configure a system logging file for only those activities.
[edit system syslog] aviva@router1# set file security authorization info
The following are examples of some of the logging messages that are saved as a result of this configuration:
aviva@router1> show log security Mar 18 01:53:41 router1 init: ntp (PID 4194) exit on SIGHUP, will be restarted to get the new config Mar 18 01:53:41 router1 init: ntp (PID 4644) started Mar 18 01:54:16 router1 login: LOGIN_INFORMATION: User aviva logged in from host 172.17.28.108 on device ttyp0 Mar 18 01:55:41 router1 init: ntp (PID 4644) exit on SIGHUP, will be restarted to get the new config Mar 18 01:55:41 router1 init: ntp (PID 5006) started
By default, only the root user and users with the JUNOS maintenance permission can read the contents of logfiles (see Recipe 2.10). If a number of people need to be able to read a system logfile, you should change the permission on the file. This is similar to the Unix chmod utility.
[edit system syslog] aviva@router1# set file messages archive world-readable aviva@router1# set file security archive world-readable
To verify that the file permissions have changed, use the file list detail command. The files are still owned by root, but they are readable by anyone.
aviva@router1> file list detail /var/log -rw-rw-r-- 1 root wheel 5883 Mar 18 02:00 messages -rw-rw-r-- 1 root wheel 17638 Mar 18 02:01 security
See Also
Recipe 2.10