SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-30-2017 02:17

    Hi Guys,

     

    is it possible to configure the SRX to send every "change" done via CLI and J-Web to a Syslog-Server so you can check who edited what and when?

     

    On our EX-Switches we solved the "show who logged in" part by sending a Trap:

     

    set event-options policy SSH-AUTH-ROOT events SYSTEM

    set event-options policy SSH-AUTH-ROOT attributes-match SYSTEM.message matches "Accepted password"

    set event-options policy SSH-AUTH-ROOT then raise-trap

     

    We need to do this due to an internal Audit - and Management wants to archive who did changes and what changes they made - bus we can't find any examples for CLI AND J-Web.

     

    Has anyone ever done anything like this and can give me a hint or a config-Example?

     



  • 2.  RE: Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-30-2017 04:43

    I'm not familiar with configuration like this but I would suugest that beside configuring the event-options policy trap , you can configure :

     

    set system archival configuration transfer-on-commit archive-sites ftp://username@destination_ftp_ip_address/foldername password <password>

     

    So you can : 1- backup your configuration on every change   2- from that data the file was created on your ftp server and the date event trap was sent , you can know who made the changes ..

     



  • 3.  RE: Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-30-2017 06:41

    Hi Abed,

     

    we already have system archival in place for every commit - however that goes to the "archival" Server - and the Customer wants the Monitoring Team to be able to tell from the Logs in the SIEM / Monitoring System - therefore they demand traps or streams or jflows or whatever to be send to the syslog-server - we successfully configured that for the cli - however it's not working fpr jweb - you can't tell what the user changed in the jweb without looking into the archival files.

     

     



  • 4.  RE: Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-30-2017 12:04

    Hi Chris,

     

    doing this syslog configuration provides some example log output as shown below. This should solve most of your issues.

     

    Config:

     

    jh@fw> show configuration system syslog
    file interactive-commands {
        authorization info;
        interactive-commands info;
    }

    Log output from /var/log/interactive-commands. The "JUNOScript" entries are logged when browsing around in J-web. This is btw from an SRX running 15.1X49-D75.

     

    Jan 30 20:53:07.874  fw sshd[40807]: Accepted keyboard-interactive/pam for jh from 10.X.X.X port 64202 ssh2
    Jan 30 20:53:08.583  fw mgd[40812]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
    Jan 30 20:53:08.583  fw mgd[40812]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40812], ssh-connection '10.X.X.X 64202 10.X.X.X 22', client-mode 'cli'
    Jan 30 20:53:13.191  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show configuration system syslog '
    Jan 30 20:53:20.754  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show configuration system syslog file interactive-commands '
    Jan 30 20:53:25.839  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show log interactive-commands '
    Jan 30 20:53:43.129  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'configure '
    Jan 30 20:53:43.133  fw mgd[40812]: UI_DBASE_LOGIN_EVENT: User 'jh' entering configuration mode
    Jan 30 20:53:45.913  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'exit '
    Jan 30 20:53:45.921  fw mgd[40812]: UI_DBASE_LOGOUT_EVENT: User 'jh' exiting configuration mode
    Jan 30 20:54:32.820  fw mgd[40846]: UI_AUTH_EVENT: Authenticated user 'root' at permission level 'super-user'
    Jan 30 20:54:32.820  fw mgd[40846]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [40846], ssh-connection '', client-mode 'cli'
    Jan 30 20:54:32.835  fw mgd[40846]: UI_CMDLINE_READ_LINE: User 'root', command 'xml-mode '
    Jan 30 20:54:32.844  fw mgd[40846]: UI_LOGOUT_EVENT: User 'root' logout
    Jan 30 20:54:35.236  fw mgd[40845]: UI_AUTH_EVENT: Authenticated user 'root' at permission level 'super-user'
    Jan 30 20:54:35.239  fw mgd[40845]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [40845], ssh-connection '', client-mode 'junoscript'
    Jan 30 20:54:35.249  fw mgd[40845]: UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-configuration database="candidate" inherit="defaults" format="xml"'
    Jan 30 20:54:35.972  fw mgd[40845]: UI_LOGOUT_EVENT: User 'root' logout
    Jan 30 20:54:39.073  fw checklogin[40852]: warning: can't get client address: Bad file descriptor
    Jan 30 20:54:40.275  fw checklogin[40852]: (pam_sm_authenticate): DEBUG: PAM_USER: jh
    Jan 30 20:54:40.277  fw checklogin[40852]: failed to open /var/db/login-attempts for reading and writing: No such file or directory
    Jan 30 20:54:40.280  fw checklogin[40852]: (pam_sm_authenticate): DEBUG: Updating lock-attempts of user: jh      attempts: -1
    Jan 30 20:54:40.283  fw checklogin[40852]: (pam_sm_acct_mgmt): DEBUG: PAM_USER: jh
    Jan 30 20:54:40.291  fw checklogin[40852]: WEB_AUTH_SUCCESS: Authenticated httpd client (username jh)
    Jan 30 20:54:40.319  fw mgd[40850]: UI_CMDLINE_READ_LINE: User '(unauthenticated user)', command 'xml-pass-thru-mode '
    Jan 30 20:54:40.327  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User '(authentication in progress)' used JUNOScript client to run command 'request-authentication user=jh'
    Jan 30 20:54:40.340  fw mgd[40850]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
    Jan 30 20:54:40.340  fw mgd[40850]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40850], ssh-connection '', client-mode 'junoscript'
    Jan 30 20:54:40.361  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-system-users-information no-resolve'
    Jan 30 20:54:40.364  fw mgd[40850]: UI_CHILD_START: Starting child '/usr/libexec/ui/show-users'
    Jan 30 20:54:40.580  fw mgd[40850]: UI_CHILD_STATUS: Cleanup child '/usr/libexec/ui/show-users', PID 40853, status 0
    Jan 30 20:54:40.850  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-configuration database="committed" inherit="defaults"'
    Jan 30 20:54:40.875  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'request-web-management-login user=jh session-id=ef078c7f80b4bba0086c35480d77b5736c829d4f from=10.253.12.40'
    Jan 30 20:54:40.914  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-autoinstallation-status-information'
    Jan 30 20:54:40.929  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-ethernet-switching-global-information'
    Jan 30 20:54:40.976  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-chassis-cluster-status'
    Jan 30 20:54:41.012  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-interface-information level-extra=terse interface-name=fxp0'
    Jan 30 20:54:41.018  fw mgd[40850]: UI_CHILD_START: Starting child '/sbin/ifinfo'
    Jan 30 20:54:41.209  fw mgd[40850]: UI_CHILD_STATUS: Cleanup child '/sbin/ifinfo', PID 40865, status 0x100
    Jan 30 20:54:41.222  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-software-information'
    Jan 30 20:54:41.230  fw mgd[40850]: UI_CHILD_START: Starting child '/usr/libexec/ui/package-info'
    Jan 30 20:54:41.352  fw mgd[40850]: UI_CHILD_STATUS: Cleanup child '/usr/libexec/ui/package-info', PID 40866, status 0
    Jan 30 20:54:42.596  fw mgd[40850]: UI_LOGOUT_EVENT: User 'jh' logout
    Jan 30 20:54:48.193  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show log interactive-commands '
    Jan 30 20:55:02.440  fw mgd[40799]: UI_CHILD_START: Starting child '/sbin/ifinfo'
    Jan 30 20:55:03.833  fw mgd[40799]: UI_CHILD_STATUS: Cleanup child '/sbin/ifinfo', PID 40881, status 0
    Jan 30 20:55:15.446  fw mgd[40882]: UI_CMDLINE_READ_LINE: User '(unauthenticated user)', command 'xml-pass-thru-mode '
    Jan 30 20:55:15.454  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User '(authentication in progress)' used JUNOScript client to run command 'request-authentication user=jh'
    Jan 30 20:55:15.467  fw mgd[40882]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
    Jan 30 20:55:15.467  fw mgd[40882]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40882], ssh-connection '', client-mode 'junoscript'
    Jan 30 20:55:15.484  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-configuration compare="rollback" rollback="0" format="text"'
    Jan 30 20:55:15.911  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-interface-information level-extra=terse'
    Jan 30 20:55:15.918  fw mgd[40882]: UI_CHILD_START: Starting child '/sbin/ifinfo'
    Jan 30 20:55:16.236  fw mgd[40882]: UI_CHILD_STATUS: Cleanup child '/sbin/ifinfo', PID 40886, status 0
    Jan 30 20:55:16.260  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-chassis-cluster-status'
    Jan 30 20:55:16.277  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-chassis-inventory'
    Jan 30 20:55:16.324  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-fpc-information detail'
    Jan 30 20:55:16.768  fw mgd[40882]: UI_LOGOUT_EVENT: User 'jh' logout
    Jan 30 20:55:17.095  fw mgd[40887]: UI_CMDLINE_READ_LINE: User '(unauthenticated user)', command 'xml-pass-thru-mode '
    Jan 30 20:55:17.103  fw mgd[40887]: UI_JUNOSCRIPT_CMD: User '(authentication in progress)' used JUNOScript client to run command 'request-authentication user=jh'
    Jan 30 20:55:17.117  fw mgd[40887]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
    Jan 30 20:55:17.117  fw mgd[40887]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40887], ssh-connection '', client-mode 'junoscript'
    Jan 30 20:55:17.133  fw mgd[40887]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-configuration compare="rollback" rollback="0" format="text"'
    Jan 30 20:55:17.367  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show log interactive-commands '
    

    #audit
    #log
    #srx300


  • 5.  RE: Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-31-2017 05:02

    jonashauge Thanks!

     

    That's how it is configured on our MX device:

     

    [edit system syslog]
    file User-Commands {
        interactive-commands any;
        archive size 5m files 100 no-world-readable;

     

    [edit system accounting]
    events [ login change-log interactive-commands ];
    destination {
        tacplus {
            server {
                1.1.1.1 {
                    secret "$9$ZGj.5n6A0OR9AvLxNY2"; ## SECRET-DATA
                    single-connection;
                    source-address 2.2.2.2;