Juniper JNCIA JN0-103 – Junos Configuration Basics

5. System Logging

Hello and welcome back. In this lecture, we’re going to talk about system logging. Let’s begin. First of all, what do we mean by Syslog or system logging? System logging operations record systemwide highlevel operations such as interfaces going up or down or users logging into or out of the device. By default, logging logs are placed in files that are stored in the VAR log directory.

The primary Syslog file which is included in all factory default configurations is the VAR log messages file. Every system log message belongs to a facility. A facility is a group of messages that are either generated by the same software process or concern a similar activity. For example, authentication attempts. Every message is also preassigned a severity level which indicates how seriously does the triggering event affect device functions. Let’s look at some of the Syslog facilities.

We actually have quite a few facilities on Juno’s devices. I have listed the most important ones. The facility called as Any, is responsible for logging all types of messages. The facility called Authorization is responsible for logging authentication and authorization attempts. We have Change Log, which is responsible for logging changes to configuration. The firewall facility logs packet filtering actions performed by a firewall filter.

Interactive Commands facility is responsible for logging commands issued at the Juno’s command line interface. You have the kernel facility, which is responsible for logging actions or errors encountered by the Juno’s kernel. You have NTP facility, which is responsible for actions performed or errors encountered by the network time protocol process. The security facility is responsible for security related events or errors. And you have the user facility which is responsible for actions performed or errors encountered by user space processes. We have some more facilities which is not listed over here.

What I’m going to do is I’m going to put a link in the resources section so you can go and check out all the available facilities on a Juno’s device. Along with facility, we also have severity levels. I have listed all the severity levels over here. The severity level, called NA, indicates there is no severity level at all, or in other words, none. It disables logging of the associated facility.

The severity level of zero is considered as emergency. It indicates a state of system panic or other condition that causes the device to stop functioning. Severity level one is alert. It indicates conditions that require immediate correction, such as a corrupted system database. Severity level two indicates critical, which is critical conditions such as hard errors. You then have severity level three, which is error.

 These indicate error conditions that generally have less serious consequences than errors at the emergency, alert and critical levels. Severity level four is warning. It indicates those conditions that warrant monitoring. Severity level five is also called as Notice. It indicates those conditions that are not errors but might warrant special handling. You have severity level six, which is info. It indicates events or non error conditions of interest and you have severity level seven which indicates any it includes all severity levels. All right, before we move further, I’ll show you on the device how to configure logging. So let’s go to the command line interface. All right back over here.

As you can see, I’ve already logged in. I’m going to enter the configuration mode. To set up logging, we first need to navigate to edit system syslog, that is the configuration hierarchy from where you’re going to configure logging or syslogging. I’ll do a show first to view the existing configuration. As you can see, I already have some configuration listed.

This command over here, user star, any emergency. This command will show messages from any facility having the severity level of emergency to all the logged in users. And you can see over here I have a bunch of files that have already been created. This file called Messages is the primary syslog file. It logs messages from all facilities at all severity levels for the authorization facility, it logs at the info level. This file over here called CLI commands logs commands only from the Interactive Commands facility at all severity levels.

I also have something called explicit priority, which we do not need to worry about right now. I have a discussion coming up on it. I have a file called Change log, which logs from the change log facility at all severity levels. I have a file called Security, which logs from the Security facility at all severity levels. Let’s try to create a file that logs from the user facility at all severity levels. For that I’m going to do set file space question mark. We need to start with a file name.

I’m going to call this one as User logs question mark. We need to select the facility. So I’m going to use this one here, the user facility. Do a question mark. Which severity level do we want to log for this one? I’m going to use any to make sure all messages at all severity levels are logged. Hit Enter. I’ll do a show and we have that configuration over here. I also want to add a comment like I’ve added to all the files just so that I know what that file is actually storing. To do that, we already know the command, we learned about it earlier. The command is annotate. So we’re going to do this annotate file.

Question mark. We are looking to annotate this one here. User logs. Question mark. We can now put the comment string. So I’m going to type inside, double quotes, logs all user activities, close the quotations, hit enter. We can verify that with a show and we have that comment over here. One thing that we did not discuss when we discussed the annotation topic was how to delete the annotation.

It’s actually super simple. I’m going to hit the up arrow and to remove the annotation, just remove whatever is there inside that double quotes. Hit Enter and do a show. You’ll notice the comment is taken away, right? So that’s a pro tip for the day, right? Okay, let’s put that again. There you go. I’ll verify with a Show command. Looks okay. I’m going to do a commit check, top commit check just to verify everything is okay. And I’ll follow that with a commit statement.

All right, commit completed. Let’s exit the configuration mode and let’s understand how we can view the log messages. The command to do that is Show logspace. It will list all the files in which log messages are being stored. We have all the file names that we have configured over there. For example, change log CLI commands. You have messages over here. You have security user, user logs, and so on. Let’s try to view what’s inside the messages file over here. So I’m going to do a Show log messages. Hit Enter. As you can see, it’s a really long file. So I’m going to terminate this and I’m just going to look at the recent logs using the pipe last command. This will only show me the last portion of that log. Hit Enter, and you’ll notice over here the logs from the different users. You can also see over here the command that we typed in, right? You see that here? This is the command that we typed in.

Let’s say I wanted to find out all the commands that have been typed at the command prompt. So I can just grab this portion over here. Copy that. And we can do this. Show log messages pipe match only that specific log type over here, hit Enter, and we can see all the commands that we typed in right now. These are all the commands that we typed in, right?

So this is a really cool way to find out what’s happening on your device. Similarly, we could also do Show log question mark, and we can view the messages stored in any of these files over here. Let’s go back to the slides. Interpreting Syslog entries. We looked at some of the syslog entries right now. Syslog entries consist of the following. You first have a timestamp that indicates when the message was logged. You then have the name portion which indicates the configured system name.

You then have the process name or PID, which indicates the name of the process or the process ID that generated the log entry. You have message code. It’s a code that identifies the nature and purpose of the message. And you have a message text which provides additional information related to the message code. I have some Syslog examples over here. These are the exact same examples that we saw right now when we did the command show log messages pipe last. And then we gave that keyword over there the message type over there. I have three different Syslog messages on the screen right now. You can see for each one of them. It starts with the date and the timestamp. My Juno’s is my host name. You then have the process name and or the process ID.

You then have the message code and then you have the message text. The first syslog entry shows that the user actually typed in some command. The second syslog entry shows a failed login attempt from a IP address. The third syslog message shows a commit complete message. Now, let’s talk about that keyword that we saw earlier called explicit priority. By adding the explicit priority statement, juno’s alters the syslog message format to include a numeric priority value. The first example shows the message format without the explicit priority statement. As you can see, the message code is UI underscore CMD line underscore read underscore line.

After entering the explicit priority statement, the message code has changed. You see percentage interact hyphen six. It tells you that it’s a severity level six message code. So if you wanted to include the severity level of the message, you can type in the command explicit priority under the file statement. And I’ll show this to you on the command line back over here.

Just going to terminate this. Go to edit edit system syslog. Let’s do a show first. As you can see over here in CLI commands we are actually using the statement called explicit priority. Let’s first try to see the message format from this file. If you want to run operational mode commands from configuration mode, you can do it with a run. So I’m going to say run show log CLI commands and I’m going to hit enter.

Let’s go to the end of the file. As you can see over here, all of these commands over here actually have the severity level on them. And this file also contains all the commands that we’ve typed in. Now, because this file is used to log the interactive commands, if you wanted to turn off the severity level, we can remove the explicit priority statement. Let’s do a show first.

I’m going to delete this statement over here. So I’m going to say delete file CLI commands explicit priority, hit enter and let’s verify that with a show. Now we can see that in file CLI commands we do not have explicit priority. I’m going to commit this configuration. Perfect. Now let’s verify if the severity level has been removed from the message code.

So I’m going to do that again. Run show log CLI commands pipe last. Just to view the last portion of that log file, hit enter and there you go. You can see that the format has now changed. Before we actually did the commit, you can see the format had the severity level in it. This is when the commit operation was happening. Once the commit operation has been completed, you can see that over here. Now the format does not have the severity level on it.

Isn’t that interesting? The severity level can sometimes be very useful, especially in troubleshooting scenarios. Finally, let’s discuss about how to interpret Syslog message codes. When we look at the Syslog messages, we see these message codes. How do we know? What does that message code indicate? Well, Juno’s makes it very easy for us. We can grab that message code, go to the operational mode, and use a command called Help syslog to find out more about that message code.

Let me show that to you in action. All right, I’m back at the terminal. I’ve cleared my sessions, and I’m also recording from a new place, which is why you may feel that my voice has kind of changed. Nevertheless, let’s do Show log, and I’m going to do Show log messages, and I’m going to try the last portion of that output. All right, so we have a bunch of those messages.

Now, we can grab the message code of any one of these messages. For example, I’m going to take this one over here, SSHD login failed. By the way, these are actually all failed login attempts, which are coming from numerous Chinese IP addresses. They constantly try to crack your password. They keep trying different passwords all the time. In fact, if I did a copy and I try to filter based on those messages like this, match that string, you will see so many of them. There’s a constant attempt to crack the passwords. Anyway, let’s focus on what we are trying to learn over here.

Right? Okay, so I’m going to do Help Syslog, and we can paste in the message code over here, hit Enter. We should get information about it. For example, we have name, message, help, description, type, severity and facility. I have an example like this on the slides as well. Let’s go back over there. All right, the command that I tried is at the top of the screen in bold, which is Help syslog UI underscore CMD line, underscore read, underscore line, the name indicates the message code itself. The message indicates the format of that message. Help gives you information about that command.

It says User entered the command at CLI prompt, which means if I type in any command at the command line interface, this is the message code that will come along with that Syslog message. The description says the indicated user typed the indicated command at the command line interface prompt and pressed the Enter key. The type of this message code is event.

This message reports an event, not an error. The severity level is info, and the facility that it is coming from is log underscore AOT edge. So this one is a very useful command, especially when we are doing troubleshooting. And we want to quickly find out what does the message code actually indicate, we can use this command. All right, so that’s all the topics that I wanted to discuss with you in this lecture. I hope you found it interesting. If you have any questions, feel free to let me know. I’d like to thank you for watching, and I’m going to catch you in the next lecture. Thank you.