Junos Syslog Engine for Salt
Juniper Networks provides support for using Salt to manage devices running Junos OS. The Salt installation includes the Junos syslog engine (for Salt), which listens for Junos OS system log messages from managed devices and publishes them on the Salt event bus. The Junos syslog engine, in conjunction with existing or custom reactors, enables you to use Salt for event-based state management of devices running Junos OS.
The following sections discuss how the Junos syslog engine works, how to configure and enable it, how to configure the events to send and subscribe to, and how to view these events on the event bus.
Understanding the Junos Syslog Engine
Junos OS generates system log messages (also called syslog messages) to record events that occur on the device, including events for routine operations, failure and error conditions, and emergency or critical conditions. System log messages can contain the following information:
Junos OS process that generated the message
Date and time the message was generated
Severity of the event
Tag that uniquely identifies the event
String that provides information about the event
For example, the following syslog message records the successful completion of a commit operation on router1:
Sep 3 11:52:22 router1 mgd[83498]: UI_COMMIT_COMPLETED: commit complete
Salt engines are external system processes that are monitored by and leverage Salt. Salt engines can export or import events on the Salt event bus. The Salt installation includes the Junos syslog engine, which can monitor Junos OS system log messages that are sent to the Salt server and publish them on the Salt event bus. Figure 1 illustrates a Salt setup that includes the Junos syslog engine. When enabled, the Junos syslog engine listens on the specified port for syslog events from managed devices running Junos OS.
When the Junos syslog engine receives an event, it extracts the event information, translates it to Salt format, and publishes it on the Salt event bus. The following output represents the same commit complete event as it is displayed on the Salt event bus:
jnpr/syslog/router1/UI_COMMIT_COMPLETED {
"_stamp": "2019-09-03T18:52:11.279878",
"daemon": "mgd",
"event": "UI_COMMIT_COMPLETED",
"facility": 23,
"hostip": "198.51.100.2",
"hostname": "router1",
"message": "commit complete",
"pid": "83498",
"priority": 188,
"raw": "<188>Sep 3 11:52:22 router1 mgd[83498]: UI_COMMIT_COMPLETED: commit complete",
"severity": 4,
"timestamp": "2019-09-03 18:52:11"
}
Salt events all use the same basic data structure, which consists
of an event tag and a body. The event tag is just a high-level description
of the event, and the body is a dictionary that contains the event
details. In the previous example, the event tag is jnpr/syslog/router1/UI_COMMIT_COMPLETED.
How to Enable the Junos Syslog Engine
The Junos syslog engine requires installing the pyparsing and twisted Python
modules on the server where the engine runs. This documentation assumes
the Junos syslog engine is running on the Salt master. For detailed
instructions on installing the prerequisites and enabling the Junos
syslog engine, see Configuring the Junos Syslog Engine in the Salt
for Junos OS Quick Start Guide.
To use the Junos syslog engine, you must configure the device running Junos OS to send its syslog messages to a designated port on the Salt master. You can configure the device to send all events or only events corresponding to a specific facility or message severity level.
To send all events, configure any any to indicate
all facilities and all message severity levels.
[edit] saltuser@router1# set system syslog host salt-server port 9999 any any saltuser@router1# commit
To send, for example, only security events with a severity
level of info or higher, configure security info.
[edit] saltuser@router1# set system syslog host salt-server port 9999 security info saltuser@router1# commit
For more information about system logging facilities and message severity levels, see Junos OS System Logging Facilities and Message Severity Levels.
To enable the Junos syslog engine, you must configure
the engine under the engines key in the
Salt master configuration file and specify the same port that you
configured on the devices running Junos OS.
engines:
- junos_syslog:
port: 9999
To apply the configuration, you must restart the Salt master, which automatically starts the Junos syslog engine process. The Junos syslog engine then listens for Junos OS syslog messages on the specified port, extracts the event information, and publishes it in Salt format on the Salt event bus. To create and configure reactors that automatically take action when specific events occur, see Configuring Salt Reactors for Junos OS Events.
How to Configure the Event Tag
Events published to the Salt event bus have two components: the event tag and the data. Junos OS events use the following default event tag (or event topic) syntax:
jnpr/syslog/hostname/event
The event tag for Junos OS events must always start with jnpr/syslog, but you can customize the remaining fields
by defining the topic parameter in the
engine configuration and specifying the fields to include. For example,
the following configuration generates event tags that include the
device’s IP address, the process that generated the message,
and the event:
engines:
- junos_syslog:
port: 9999
topic: jnpr/syslog/hostip/daemon/event
When you configure this syntax, the tag for a completed commit operation event might be:
jnpr/syslog/198.51.100.2/mgd/UI_COMMIT_COMPLETED
The event tag fields can include any combination of the
following fields after jnpr/syslog/:
daemoneventhostiphostnamemessagepidpriorityraw (the raw event data forwarded from the device)severitytimestamp
How to Subscribe to Events for Specific Junos OS Processes
As described in How to Enable the Junos Syslog Engine, you can configure which syslog events the device running Junos
OS sends to the Junos syslog engine. By default, the Junos syslog
engine publishes the event data for all received events on the Salt
event bus. You can also customize the Junos syslog engine to only
subscribe to certain processes by configuring the daemon parameter in the engine configuration. When you configure this parameter,
the Junos syslog engine only publishes the events pertaining to those
processes on the Salt event bus.
The following Salt engine configuration subscribes the Junos syslog engine to events from the management process (mgd) and the routing protocol process (rpd):
engines:
- junos_syslog:
port: 9999
topic: jnpr/syslog/hostname/event
daemon:
- mgd
- rpd
After restarting the salt-master process to apply the configuration, the Junos syslog engine only publishes events from these two processes on the Salt event bus.
jnpr/syslog/router1/UI_DBASE_LOGIN_EVENT {
"_stamp": "2019-08-28T22:16:42.612723",
"daemon": "mgd",
"event": "UI_DBASE_LOGIN_EVENT",
"facility": 23,
"hostip": "198.51.100.2",
"hostname": "router1",
"message": "User 'saltuser' entering configuration mode",
"pid": "52764",
"priority": 189,
"raw": "<189>Aug 28 15:17:00 router1 mgd[52764]: UI_DBASE_LOGIN_EVENT: User 'saltuser' entering configuration mode",
"severity": 5,
"timestamp": "2019-08-28 22:16:42"
}
How to View Events on the Salt Event Bus
Salt runners execute modules on the Salt master rather than
on the minions. You execute runners by using the salt-run command. To view the events on the Salt master event bus in real
time, execute the following command, which displays the events in
the terminal:
saltuser@salt-master~$ sudo salt-run state.event pretty=True
jnpr/syslog/router1/UI_COMMIT_COMPLETED {
"_stamp": "2019-07-24T17:17:30.390374",
"daemon": "mgd",
"event": "UI_COMMIT_COMPLETED",
"facility": 23,
"hostip": "198.51.100.2",
"hostname": "router1",
"message": "commit complete",
"pid": "5795",
"priority": 188,
"raw": "<188>Jul 24 10:17:38 router1 mgd[5795]: UI_COMMIT_COMPLETED: commit complete",
"severity": 4,
"timestamp": "2019-07-24 17:17:30"If you want to quickly trigger an event, you can ping the minion as shown in the following example:
saltuser@salt-master~$ sudo salt 'router1' test.ping
The corresponding event bus output shows the Salt job and the minion’s response.
20190626185606864697 {
"_stamp": "2019-06-26T18:56:06.865972",
"minions": [
"router1"
]
}
salt/job/20190626185606864697/new {
"_stamp": "2019-06-26T18:56:06.867352",
"arg": [],
"fun": "test.ping",
"jid": "20190626185606864697",
"minions": [
"router1"
],
"missing": [],
"tgt": "router1",
"tgt_type": "glob",
"user": "sudo_saltuser"
}
salt/job/20190626185606864697/ret/router1 {
"_stamp": "2019-06-26T18:56:06.968557",
"cmd": "_return",
"fun": "test.ping",
"fun_args": [],
"id": "router1",
"jid": "20190626185606864697",
"retcode": 0,
"return": true,
"success": true
}
To test the Junos syslog engine configuration, you can execute an operation on the device running Junos OS. The device must be configured to send messages with that operation’s facility and that severity level to the Junos syslog engine. In addition, the engine must be subscribed to messages from that process (or all processes, which is the default). When you execute the operation, the Junos syslog engine publishes the event to the Salt event bus.