SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-30-2017 02:17

    Hi Guys,

     

    is it possible to configure the SRX to send every "change" done via CLI and J-Web to a Syslog-Server so you can check who edited what and when?

     

    On our EX-Switches we solved the "show who logged in" part by sending a Trap:

     

    set event-options policy SSH-AUTH-ROOT events SYSTEM

    set event-options policy SSH-AUTH-ROOT attributes-match SYSTEM.message matches "Accepted password"

    set event-options policy SSH-AUTH-ROOT then raise-trap

     

    We need to do this due to an internal Audit - and Management wants to archive who did changes and what changes they made - bus we can't find any examples for CLI AND J-Web.

     

    Has anyone ever done anything like this and can give me a hint or a config-Example?

     



  • 2.  RE: Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-30-2017 04:43

    I'm not familiar with configuration like this but I would suugest that beside configuring the event-options policy trap , you can configure :

     

    set system archival configuration transfer-on-commit archive-sites ftp://username@destination_ftp_ip_address/foldername password <password>

     

    So you can : 1- backup your configuration on every change   2- from that data the file was created on your ftp server and the date event trap was sent , you can know who made the changes ..

     



  • 3.  RE: Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-30-2017 06:41

    Hi Abed,

     

    we already have system archival in place for every commit - however that goes to the "archival" Server - and the Customer wants the Monitoring Team to be able to tell from the Logs in the SIEM / Monitoring System - therefore they demand traps or streams or jflows or whatever to be send to the syslog-server - we successfully configured that for the cli - however it's not working fpr jweb - you can't tell what the user changed in the jweb without looking into the archival files.

     

     



  • 4.  RE: Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-30-2017 12:04

    Hi Chris,

     

    doing this syslog configuration provides some example log output as shown below. This should solve most of your issues.

     

    Config:

     

    jh@fw> show configuration system syslog
    file interactive-commands {
        authorization info;
        interactive-commands info;
    }

    Log output from /var/log/interactive-commands. The "JUNOScript" entries are logged when browsing around in J-web. This is btw from an SRX running 15.1X49-D75.

     

    Jan 30 20:53:07.874  fw sshd[40807]: Accepted keyboard-interactive/pam for jh from 10.X.X.X port 64202 ssh2
    Jan 30 20:53:08.583  fw mgd[40812]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
    Jan 30 20:53:08.583  fw mgd[40812]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40812], ssh-connection '10.X.X.X 64202 10.X.X.X 22', client-mode 'cli'
    Jan 30 20:53:13.191  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show configuration system syslog '
    Jan 30 20:53:20.754  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show configuration system syslog file interactive-commands '
    Jan 30 20:53:25.839  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show log interactive-commands '
    Jan 30 20:53:43.129  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'configure '
    Jan 30 20:53:43.133  fw mgd[40812]: UI_DBASE_LOGIN_EVENT: User 'jh' entering configuration mode
    Jan 30 20:53:45.913  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'exit '
    Jan 30 20:53:45.921  fw mgd[40812]: UI_DBASE_LOGOUT_EVENT: User 'jh' exiting configuration mode
    Jan 30 20:54:32.820  fw mgd[40846]: UI_AUTH_EVENT: Authenticated user 'root' at permission level 'super-user'
    Jan 30 20:54:32.820  fw mgd[40846]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [40846], ssh-connection '', client-mode 'cli'
    Jan 30 20:54:32.835  fw mgd[40846]: UI_CMDLINE_READ_LINE: User 'root', command 'xml-mode '
    Jan 30 20:54:32.844  fw mgd[40846]: UI_LOGOUT_EVENT: User 'root' logout
    Jan 30 20:54:35.236  fw mgd[40845]: UI_AUTH_EVENT: Authenticated user 'root' at permission level 'super-user'
    Jan 30 20:54:35.239  fw mgd[40845]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [40845], ssh-connection '', client-mode 'junoscript'
    Jan 30 20:54:35.249  fw mgd[40845]: UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-configuration database="candidate" inherit="defaults" format="xml"'
    Jan 30 20:54:35.972  fw mgd[40845]: UI_LOGOUT_EVENT: User 'root' logout
    Jan 30 20:54:39.073  fw checklogin[40852]: warning: can't get client address: Bad file descriptor
    Jan 30 20:54:40.275  fw checklogin[40852]: (pam_sm_authenticate): DEBUG: PAM_USER: jh
    Jan 30 20:54:40.277  fw checklogin[40852]: failed to open /var/db/login-attempts for reading and writing: No such file or directory
    Jan 30 20:54:40.280  fw checklogin[40852]: (pam_sm_authenticate): DEBUG: Updating lock-attempts of user: jh      attempts: -1
    Jan 30 20:54:40.283  fw checklogin[40852]: (pam_sm_acct_mgmt): DEBUG: PAM_USER: jh
    Jan 30 20:54:40.291  fw checklogin[40852]: WEB_AUTH_SUCCESS: Authenticated httpd client (username jh)
    Jan 30 20:54:40.319  fw mgd[40850]: UI_CMDLINE_READ_LINE: User '(unauthenticated user)', command 'xml-pass-thru-mode '
    Jan 30 20:54:40.327  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User '(authentication in progress)' used JUNOScript client to run command 'request-authentication user=jh'
    Jan 30 20:54:40.340  fw mgd[40850]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
    Jan 30 20:54:40.340  fw mgd[40850]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40850], ssh-connection '', client-mode 'junoscript'
    Jan 30 20:54:40.361  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-system-users-information no-resolve'
    Jan 30 20:54:40.364  fw mgd[40850]: UI_CHILD_START: Starting child '/usr/libexec/ui/show-users'
    Jan 30 20:54:40.580  fw mgd[40850]: UI_CHILD_STATUS: Cleanup child '/usr/libexec/ui/show-users', PID 40853, status 0
    Jan 30 20:54:40.850  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-configuration database="committed" inherit="defaults"'
    Jan 30 20:54:40.875  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'request-web-management-login user=jh session-id=ef078c7f80b4bba0086c35480d77b5736c829d4f from=10.253.12.40'
    Jan 30 20:54:40.914  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-autoinstallation-status-information'
    Jan 30 20:54:40.929  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-ethernet-switching-global-information'
    Jan 30 20:54:40.976  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-chassis-cluster-status'
    Jan 30 20:54:41.012  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-interface-information level-extra=terse interface-name=fxp0'
    Jan 30 20:54:41.018  fw mgd[40850]: UI_CHILD_START: Starting child '/sbin/ifinfo'
    Jan 30 20:54:41.209  fw mgd[40850]: UI_CHILD_STATUS: Cleanup child '/sbin/ifinfo', PID 40865, status 0x100
    Jan 30 20:54:41.222  fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-software-information'
    Jan 30 20:54:41.230  fw mgd[40850]: UI_CHILD_START: Starting child '/usr/libexec/ui/package-info'
    Jan 30 20:54:41.352  fw mgd[40850]: UI_CHILD_STATUS: Cleanup child '/usr/libexec/ui/package-info', PID 40866, status 0
    Jan 30 20:54:42.596  fw mgd[40850]: UI_LOGOUT_EVENT: User 'jh' logout
    Jan 30 20:54:48.193  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show log interactive-commands '
    Jan 30 20:55:02.440  fw mgd[40799]: UI_CHILD_START: Starting child '/sbin/ifinfo'
    Jan 30 20:55:03.833  fw mgd[40799]: UI_CHILD_STATUS: Cleanup child '/sbin/ifinfo', PID 40881, status 0
    Jan 30 20:55:15.446  fw mgd[40882]: UI_CMDLINE_READ_LINE: User '(unauthenticated user)', command 'xml-pass-thru-mode '
    Jan 30 20:55:15.454  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User '(authentication in progress)' used JUNOScript client to run command 'request-authentication user=jh'
    Jan 30 20:55:15.467  fw mgd[40882]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
    Jan 30 20:55:15.467  fw mgd[40882]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40882], ssh-connection '', client-mode 'junoscript'
    Jan 30 20:55:15.484  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-configuration compare="rollback" rollback="0" format="text"'
    Jan 30 20:55:15.911  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-interface-information level-extra=terse'
    Jan 30 20:55:15.918  fw mgd[40882]: UI_CHILD_START: Starting child '/sbin/ifinfo'
    Jan 30 20:55:16.236  fw mgd[40882]: UI_CHILD_STATUS: Cleanup child '/sbin/ifinfo', PID 40886, status 0
    Jan 30 20:55:16.260  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-chassis-cluster-status'
    Jan 30 20:55:16.277  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-chassis-inventory'
    Jan 30 20:55:16.324  fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-fpc-information detail'
    Jan 30 20:55:16.768  fw mgd[40882]: UI_LOGOUT_EVENT: User 'jh' logout
    Jan 30 20:55:17.095  fw mgd[40887]: UI_CMDLINE_READ_LINE: User '(unauthenticated user)', command 'xml-pass-thru-mode '
    Jan 30 20:55:17.103  fw mgd[40887]: UI_JUNOSCRIPT_CMD: User '(authentication in progress)' used JUNOScript client to run command 'request-authentication user=jh'
    Jan 30 20:55:17.117  fw mgd[40887]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
    Jan 30 20:55:17.117  fw mgd[40887]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40887], ssh-connection '', client-mode 'junoscript'
    Jan 30 20:55:17.133  fw mgd[40887]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-configuration compare="rollback" rollback="0" format="text"'
    Jan 30 20:55:17.367  fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show log interactive-commands '
    

    #audit
    #log
    #srx300


  • 5.  RE: Send Logins and config-Changes to Syslog (CLI and J-Web)

    Posted 01-31-2017 05:02

    jonashauge Thanks!

     

    That's how it is configured on our MX device:

     

    [edit system syslog]
    file User-Commands {
        interactive-commands any;
        archive size 5m files 100 no-world-readable;

     

    [edit system accounting]
    events [ login change-log interactive-commands ];
    destination {
        tacplus {
            server {
                1.1.1.1 {
                    secret "$9$ZGj.5n6A0OR9AvLxNY2"; ## SECRET-DATA
                    single-connection;
                    source-address 2.2.2.2;