Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Sample Syslog Server Configuration on a Linux System

Sample Syslog Server Configuration on a Linux System Overview

A secure Junos OS environment requires auditing of events and storing them in a local audit file. The recorded events are simultaneously sent to an external syslog server. A syslog server receives the syslog messages streamed from the device. The syslog server must have an SSH client with NETCONF support configured to receive the streamed syslog messages.

The NDcPP2.2e logs capture the events, few of them are listed below:

  • Committed changes

  • Login and logout of users

  • Failure to establish an SSH session

  • Establishment or termination of an SSH session

  • Changes to the system time

The following procedure is an example to show how to configure a syslog server on a Linux platform using the StrongSwan configuration to provide IPsec. Before you begin, the Linux-based syslog server must be configured with the IP address and gateway, and the StrongSwan IPsec client must be installed on the syslog server to initiate a VPN connection with the Junos OS device.

To setup a StrongSwan configuration on the remote syslog server to provide IPsec VPN capability:

  1. Modify the /etc/ipsec.secrets settings in accordance with the Junos OS device configuration.

  2. Modify the /etc/ipsec.conf settings in accordance with the Junos OS device configuration.

    Note:

    Here conn home specifies the name of the IPSec tunnel connection to be established between a Junos OS device and Strongswan VPN Client on Syslog server, ike=aes-sha256-modp2048 specifies the IKE encryption and authentication algorithms and DH Group to be used for the connection, andesp=aes128-sha1 specifies the ESP encryption and authentication algorithms to be used for the connection.

  3. Activate IPsec service by using ipsec up <being-established-ipsec-tunnel-name> command. For example,

  4. Restart the IPsec StrongSwan service.

  5. Check for syslog encrypted traffic.

  6. Copy /var/log/syslog to /var/tmp/syslog_verify file on the syslog server to validate the syslog from the Junos OS device.

Configuring Event Logging to a Local File

You can configure storing of audit information to a local file and the level of detail to be recorded with the syslog statement. This example stores logs in a file named Audit_file

Configuring Event Logging to a Remote Server

Configure the export of audit information to a secure, remote server by setting up an event trace monitor that sends event log messages by using NETCONF over SSH to the remote system event logging server. The following procedures show the configuration needed to send system log messages to a secure external server by using NETCONF over SSH.

Configuring Event Logging to a Remote Server when Initiating the Connection from the Remote Server

The following procedure describes the steps to configure event logging to a remote server when the SSH connection to the TOE is initiated from the remote system log server.

  1. Generate an RSA public key on the remote syslog server.

    You will be prompted to enter the desired passphrase. The storage location for the syslog-monitor key pair is displayed.

  2. On the TOE, create a class named monitor that has permission to trace events.
  3. Create a user named syslog-mon with the class monitor, and with authentication that uses the syslog-monitor key pair from the key pair file located on the remote syslog server.
  4. Set up NETCONF with SSH.
  5. Configure syslog to log all the messages at /var/log/messages.
  6. On the remote system log server, start up the SSH agent. The start up is required to simplify the handling of the syslog-monitor key.
  7. On the remote syslog server, add the syslog-monitor key pair to the SSH agent.

    You will be prompted to enter the desired passphrase. Enter the same passphrase used in Step 1.

  8. After logging in to the external_syslog_server session, establish a tunnel to the device and start NETCONF.
  9. After NETCONF is established, configure a system log events message stream. This RPC will cause the NETCONF service to start transmitting messages over the SSH connection that is established.
  10. The examples for syslog messages are listed below. Monitor the event log generated for admin actions on TOE as received on the syslog server. Examine the traffic that passes between the audit server and the TOE, observing that these data are not viewed during this transfer, and that they are successfully received by the audit server. Match the logs between local event and the remote event logged in a syslog server and record the particular software (such as name, version, and so on) used on the audit server during testing.

The following output shows test log results for syslog server.

The following output shows event logs generated on the TOE that are received on the syslog server.

The following output shows that the local syslogs and remote syslogs received are similar.

If the connections used by the device is unintentionally broken, the security administrator needs to restart the connection, or the device will try to re-connect with the audit server.