Tracing General Authentication Service Processes
The Junos OS trace operations feature tracks general authentication service operations and records events in a log file. By default, the tracing operation is inactive. To trace general authentication service processes, you specify flags in the traceoptions statement at the [edit system processes general-authentication-service] hierarchy level. The default tracing behavior is the following:
- Important events are logged in a file located in the /var/log directory. By default, the router uses the filename, authd. You can specify a different filename, but you cannot change the directory (/var/log) in which trace files are located.
- When the trace log file filename reaches 128 kilobytes (KB), it is compressed and renamed filename.0.gz. Subsequent events are logged
in a new file called filename, until
it reaches capacity again. At this point, filename.0.gz is renamed filename.1.gz and filename is compressed and renamed filename.0.gz. This process repeats until
the number of archived files reaches the maximum file number. Then
the oldest trace file—the one with the highest number—is
overwritten.
You can optionally specify the number of trace files to be from 2 through 1000. You can also configure the maximum file size to be from 10 KB through 1 gigabyte (GB). For more information about how log files are created, see the Junos OS System Log Messages Reference.
- By default, only the user who configures the tracing operation can access log files. You can optionally configure read-only access for all users.
The general authentication service tracing operations are described in the following sections:
Configuring the General Authentication Service Processes Trace Log Filename
By default, the name of the file that records trace output for general authentication service is authd. You can specify a different name by including the file statement at the [edit system processes general-authentication-service] hierarchy level:
To configure the filename for general authentication service tracing operations:
- Specify the name of the file used for the trace output.[edit system processes general-authentication-service traceoptions]user@host# set file aap_logfile_1
Configuring the Number and Size of General Authentication Service Processes Log Files
You can optionally specify the number of compressed, archived trace log files to be from 2 through 1000. You can also configure the maximum file size to be from 10 KB through 1 gigabyte (GB); the default size is 128 kilobytes (KB).
The archived files are differentiated by a suffix in the format .number.gz. The newest archived file is .0.gz and the oldest archived file is .(maximum number)-1.gz. When the current trace log file reaches the maximum size, it is compressed and renamed, and any existing archived files are renamed. This process repeats until the maximum number of archived files is reached, at which point the oldest file is overwritten.
For example, you can set the maximum file size to 2 MB, and the maximum number of files to 20. When the file that receives the output of the tracing operation, filename, reaches 2 MB, filename is compressed and renamed filename.0.gz, and a new file called filename is created. When the new filename reaches 2 MB, filename.0.gz is renamed filename.1.gz and filename is compressed and renamed filename.0.gz. This process repeats until there are 20 trace files. Then the oldest file, filename.19.gz, is simply overwritten when the next oldest file, filename.18.gz is compressed and renamed to filename.19.gz.
To configure the number and size of trace files:
- Specify the name, number, and size of the file used for
the trace output, by including the files and size options with the traceoptions statement.[edit system processes general-authentication-service traceoptions]user@host# set file aap_logfile_1 files 20 size 2097152
Configuring Access to the Log File
By default, log files can be accessed only by the user who configures the tracing operation. You can allow all users to read the log file and you can explicitly set the default behavior of the log file.
To specify that all users can read the log file:
- Configure the log file to be world-readable.[edit system processes general-authentication-service traceoptions]user@host# set file aap_logfile_1 world-readable
To explicitly set the default behavior, in which the log file can only be read by the user who configured tracing:
- Configure the log file to be no-world-readable.[edit system processes general-authentication-service traceoptions]user@host# set file aap_logfile_1 no-world-readable
Configuring a Regular Expression for Lines to Be Logged
By default, the trace operation output includes all lines relevant to the logged events. You can refine the output by including regular expressions (regex) that will be matched.
To configure regular expressions to match:
- Configure the regular expression. [edit system processes general-authentication-service traceoptions]user@host# set file aap_logfile_1 match regular-expression
Configuring the Trace Operation
By default, only important events are logged. You can specify which trace operations are logged by including specific tracing flags. The following table describes the flags that you can include.
Flag | Description |
|---|---|
address-assignment | Trace all address-assignment pool events |
all | Trace all tracing operations |
configuration | Trace configuration events |
framework | Trace authentication framework events |
gx-plus | Trace Gx-Plus events |
jsrc | Trace JSRC events |
ldap | Trace LDAP authentication events |
local-authentication | Trace local authentication events |
radius | Trace RADIUS authentication events |
To configure the flags for the event to be logged:
- Configure the flags.[edit system processes general-authentication-service traceoptions]user@host# set flag address-assignment
