This section contains the following topics:
To have security logs handled by the eventd process and sent with system logs to a remote server, enter the following command:
{primary:node0}user@host> set security log mode eventThen configure the server that will receive the system log messages:
{primary:node0}user@host> set system syslog host hostnamewhere hostname is the fully qualified hostname or IP address of the server that will receive the logs.
The type of logging configuration is the one that has been used most commonly for JUNOS. In this configuration, control plane logs and data plane, or security, logs are forwarded from the data plane to the Routing Engine control plane rtlogd process. The rtlogd process then either forwards syslog/sd-syslog-formatted logs to the eventd process or the WELF-formatted logs to the external/remote WELF log collector.
 |
Note: If you want to send duplicate logs to a second remote server, repeat the command with a new fully qualified hostname or IP address of a second server. If your deployment is an active/active chassis cluster, you can also configure security logging on the active node to be sent to separate remote servers in order to achieve logging redundancy. |
If you need to rename or redirect one of the logging configurations, you will need to delete and recreate it. To delete a configuration:
{primary:node0}user@host> delete security log mode event hostname
|
Note: WELF logs must be streamed through a revenue port because the eventd process does not recognize the WELF format. |
You can increase the number of data plane, or security, logs that are sent by modifying the manner in which they are sent.
When the logging mode is set to stream, security logs generated in the data plane are streamed out a revenue traffic port directly to a remote server. Other system logs are still handled as described in Setting the System to Send All Log Messages Through eventd.
To use the stream mode, enter the following commands:
{primary:node0}user@host> set security log mode source-address{primary:node0}user@host> set security
log mode stream{primary:node0}user@host set security log stream streamname format [syslog|sd-syslog|welf] category [all|content-security] host ipaddrwhere source-address is the IP address of the source machine; syslog, sd-syslog (structured system logging messages), and welf are the logging formats; all and content-security are the categories of logging; and ipaddr is the IP address of the server to which the logs will be streamed.
Note that for the WELF format, the category must be set to content-security. For example:
user@host set security log stream securitylog1
format welf category content-security host 10.121.23.5
|
Note: If you want to send duplicate logs to a second remote server, repeat the command with a new ipaddr. If your deployment is an active/active chassis cluster, you can also configure security logging on the active node to be sent to separate remote servers in order to achieve logging redundancy. |
You can direct system log messages to a file on the CompactFlash card. The default directory for log files is /var/log. To specify a different directory on the CompactFlash card, include the complete pathname. For the list of logging facilities and severity levels, see Table 111 and Table 112.
For information about archiving log files, see Archiving System Logs.
The procedure provided in this section sends all security-related information to the sample file named security.
To send messages to a file:
Table 113: Sending System Log Messages to a File
To direct system log messages to the terminal session of one or more specific users (or all users) when they are logged into the local Routing Engine, specify one or more JUNOS usernames. Separate multiple values with spaces, or use the asterisk (*) to indicate all users who are logged into the local Routing Engine. For the list of logging facilities and severity levels, see Table 111 and Table 112.
The procedure provided in this section sends any critical messages to the terminal of the sample user frank, if he is logged in.
To send messages to a user terminal:
Table 114: Sending Messages to a User Terminal
By default, the JUNOS logging utility stops writing messages to a log file when the file reaches 128 KB in size. It closes the file and adds a numerical suffix, then opens and directs messages to a new file with the original name. By default, the logging utility creates up to 10 files before it begins overwriting the contents of the oldest file. The logging utility by default also limits the users who can read log files to the root user and users who have the JUNOS maintenance permission.
To enable all users to read log files, include the world-readable statement at the [edit system syslog archive] hierarchy level. To restore the default permissions, include the no-world-readable statement. You can include the archive statement at the [edit system syslog file filename] hierarchy level to configure the number of files, file size, and permissions for the specified log file. For configuration details, see the information about archiving log files in the JUNOS System Basics Configuration Guide.
To disable logging of the messages from a facility, use the facility none configuration statement. This statement is useful when, for example, you want to log messages of the same severity level from all but a few facilities. Instead of including a configuration statement for each facility you want to log, you can configure the any level statement and then a facility none statement for each facility you do not want to log. For configuration details, see the information about disabling logging in the JUNOS System Basics Configuration Guide.