Our 'messages' content is pretty minimal. We try to keep as little data in one
lump on the device(s) to make auditing easier.
If we need to login to the device to check something, we want to find an answer
quick. If we have time or it's looking like a far more complex problem, then we
can scrape the syslog store.
We aren't watching ldp/lldp/isis/bfd by means of forwarding via syslog, but the
following catches the things 'we' care about, while cutting down on 99.9% of
the noise of which we don't.
Things it doesn't catch, we fudge with event-options, I'm sure you could
probably do the same to give you better control rather than leaning on the
built-in priorities.
Since we use TACACS+, all our command accounting goes there. In light of this,
only config items that have been changed, but creates a nice audit trail by
itself (who did what where, when...). Maybe you would want that to go to a
dedicated file if you're not running any centralized AAA...
I would strongly encourage the use of the 'allow-duplicates' in the syslog root
to avoid "last message repated 'n' times" from obscuring bigger problems.
We also log things like interface events directly to the device for ease of
troubleshooting. I only show the one example to give some idea how it may suit
your needs.
syslog {
host foobar {
any emergency;
authorization warning;
daemon warning;
kernel critical;
change-log any;
explicit-priority;
}
file messages {
any critical;
authorization info;
}
allow-duplicates;
file interfaces {
any any;
match SNMP_TRAP_LINK;
}
}
event-options {
policy PROTOCOL-STATE-OVERRIDE {
events [ rpd_ospf_nbrdown rpd_ospf_nbrup rpd_bgp_neighbor_state_changed ];
then {
priority-override {
severity warning;
}
}
}
}
-----Original Message-----
From: juniper-nsp [mailto:[email protected]] On Behalf Of
Jason Lixfeld
Sent: Thursday, March 21, 2019 12:10 PM
To: juniper-nsp
Subject: [j-nsp] Show me all the system syslog things!
Hi,
I’m looking for some ideas about configuring syslog.
Starting from the bare-minumum syslog config, and log-updown in BGP:
jlixfeld@lab# show system syslog
user * {
any emergency;
}
host 10.219.51.130 {
any info;
}
file messages {
any info;
}
time-format year millisecond;
The messages file produces a great set of useful logs for day-to-day operations
and monitoring: up/down for LDP, LLDP, ISIS, BFD, interface, BGP and also
executed CLI commands (mgd UI_CMDLINE_READ_LINE). It’s great.
However, an enormous amount of logs from mgd (UI_*), chassisd, and a bunch of
other processes are also caught in this messages file, and while it’s
definitely useful to capture, it doesn’t need to be in the same file as the
day-to-day stuff. I’m sure others have constructed some useful syslog configs
for separating these day-to-day messages into one file, and other stuff into
other file(s). I’m interested in seeing other people’s work for some
inspiration on how I can construct a useful set of files myself.
Anyone care to share?
Thanks in advance!
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
