Hi Chris,
doing this syslog configuration provides some example log output as shown below. This should solve most of your issues.
Config:
jh@fw> show configuration system syslog
file interactive-commands {
authorization info;
interactive-commands info;
}
Log output from /var/log/interactive-commands. The "JUNOScript" entries are logged when browsing around in J-web. This is btw from an SRX running 15.1X49-D75.
Jan 30 20:53:07.874 fw sshd[40807]: Accepted keyboard-interactive/pam for jh from 10.X.X.X port 64202 ssh2
Jan 30 20:53:08.583 fw mgd[40812]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
Jan 30 20:53:08.583 fw mgd[40812]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40812], ssh-connection '10.X.X.X 64202 10.X.X.X 22', client-mode 'cli'
Jan 30 20:53:13.191 fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show configuration system syslog '
Jan 30 20:53:20.754 fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show configuration system syslog file interactive-commands '
Jan 30 20:53:25.839 fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show log interactive-commands '
Jan 30 20:53:43.129 fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'configure '
Jan 30 20:53:43.133 fw mgd[40812]: UI_DBASE_LOGIN_EVENT: User 'jh' entering configuration mode
Jan 30 20:53:45.913 fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'exit '
Jan 30 20:53:45.921 fw mgd[40812]: UI_DBASE_LOGOUT_EVENT: User 'jh' exiting configuration mode
Jan 30 20:54:32.820 fw mgd[40846]: UI_AUTH_EVENT: Authenticated user 'root' at permission level 'super-user'
Jan 30 20:54:32.820 fw mgd[40846]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [40846], ssh-connection '', client-mode 'cli'
Jan 30 20:54:32.835 fw mgd[40846]: UI_CMDLINE_READ_LINE: User 'root', command 'xml-mode '
Jan 30 20:54:32.844 fw mgd[40846]: UI_LOGOUT_EVENT: User 'root' logout
Jan 30 20:54:35.236 fw mgd[40845]: UI_AUTH_EVENT: Authenticated user 'root' at permission level 'super-user'
Jan 30 20:54:35.239 fw mgd[40845]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [40845], ssh-connection '', client-mode 'junoscript'
Jan 30 20:54:35.249 fw mgd[40845]: UI_JUNOSCRIPT_CMD: User 'root' used JUNOScript client to run command 'get-configuration database="candidate" inherit="defaults" format="xml"'
Jan 30 20:54:35.972 fw mgd[40845]: UI_LOGOUT_EVENT: User 'root' logout
Jan 30 20:54:39.073 fw checklogin[40852]: warning: can't get client address: Bad file descriptor
Jan 30 20:54:40.275 fw checklogin[40852]: (pam_sm_authenticate): DEBUG: PAM_USER: jh
Jan 30 20:54:40.277 fw checklogin[40852]: failed to open /var/db/login-attempts for reading and writing: No such file or directory
Jan 30 20:54:40.280 fw checklogin[40852]: (pam_sm_authenticate): DEBUG: Updating lock-attempts of user: jh attempts: -1
Jan 30 20:54:40.283 fw checklogin[40852]: (pam_sm_acct_mgmt): DEBUG: PAM_USER: jh
Jan 30 20:54:40.291 fw checklogin[40852]: WEB_AUTH_SUCCESS: Authenticated httpd client (username jh)
Jan 30 20:54:40.319 fw mgd[40850]: UI_CMDLINE_READ_LINE: User '(unauthenticated user)', command 'xml-pass-thru-mode '
Jan 30 20:54:40.327 fw mgd[40850]: UI_JUNOSCRIPT_CMD: User '(authentication in progress)' used JUNOScript client to run command 'request-authentication user=jh'
Jan 30 20:54:40.340 fw mgd[40850]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
Jan 30 20:54:40.340 fw mgd[40850]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40850], ssh-connection '', client-mode 'junoscript'
Jan 30 20:54:40.361 fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-system-users-information no-resolve'
Jan 30 20:54:40.364 fw mgd[40850]: UI_CHILD_START: Starting child '/usr/libexec/ui/show-users'
Jan 30 20:54:40.580 fw mgd[40850]: UI_CHILD_STATUS: Cleanup child '/usr/libexec/ui/show-users', PID 40853, status 0
Jan 30 20:54:40.850 fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-configuration database="committed" inherit="defaults"'
Jan 30 20:54:40.875 fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'request-web-management-login user=jh session-id=ef078c7f80b4bba0086c35480d77b5736c829d4f from=10.253.12.40'
Jan 30 20:54:40.914 fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-autoinstallation-status-information'
Jan 30 20:54:40.929 fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-ethernet-switching-global-information'
Jan 30 20:54:40.976 fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-chassis-cluster-status'
Jan 30 20:54:41.012 fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-interface-information level-extra=terse interface-name=fxp0'
Jan 30 20:54:41.018 fw mgd[40850]: UI_CHILD_START: Starting child '/sbin/ifinfo'
Jan 30 20:54:41.209 fw mgd[40850]: UI_CHILD_STATUS: Cleanup child '/sbin/ifinfo', PID 40865, status 0x100
Jan 30 20:54:41.222 fw mgd[40850]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-software-information'
Jan 30 20:54:41.230 fw mgd[40850]: UI_CHILD_START: Starting child '/usr/libexec/ui/package-info'
Jan 30 20:54:41.352 fw mgd[40850]: UI_CHILD_STATUS: Cleanup child '/usr/libexec/ui/package-info', PID 40866, status 0
Jan 30 20:54:42.596 fw mgd[40850]: UI_LOGOUT_EVENT: User 'jh' logout
Jan 30 20:54:48.193 fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show log interactive-commands '
Jan 30 20:55:02.440 fw mgd[40799]: UI_CHILD_START: Starting child '/sbin/ifinfo'
Jan 30 20:55:03.833 fw mgd[40799]: UI_CHILD_STATUS: Cleanup child '/sbin/ifinfo', PID 40881, status 0
Jan 30 20:55:15.446 fw mgd[40882]: UI_CMDLINE_READ_LINE: User '(unauthenticated user)', command 'xml-pass-thru-mode '
Jan 30 20:55:15.454 fw mgd[40882]: UI_JUNOSCRIPT_CMD: User '(authentication in progress)' used JUNOScript client to run command 'request-authentication user=jh'
Jan 30 20:55:15.467 fw mgd[40882]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
Jan 30 20:55:15.467 fw mgd[40882]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40882], ssh-connection '', client-mode 'junoscript'
Jan 30 20:55:15.484 fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-configuration compare="rollback" rollback="0" format="text"'
Jan 30 20:55:15.911 fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-interface-information level-extra=terse'
Jan 30 20:55:15.918 fw mgd[40882]: UI_CHILD_START: Starting child '/sbin/ifinfo'
Jan 30 20:55:16.236 fw mgd[40882]: UI_CHILD_STATUS: Cleanup child '/sbin/ifinfo', PID 40886, status 0
Jan 30 20:55:16.260 fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-chassis-cluster-status'
Jan 30 20:55:16.277 fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-chassis-inventory'
Jan 30 20:55:16.324 fw mgd[40882]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-fpc-information detail'
Jan 30 20:55:16.768 fw mgd[40882]: UI_LOGOUT_EVENT: User 'jh' logout
Jan 30 20:55:17.095 fw mgd[40887]: UI_CMDLINE_READ_LINE: User '(unauthenticated user)', command 'xml-pass-thru-mode '
Jan 30 20:55:17.103 fw mgd[40887]: UI_JUNOSCRIPT_CMD: User '(authentication in progress)' used JUNOScript client to run command 'request-authentication user=jh'
Jan 30 20:55:17.117 fw mgd[40887]: UI_AUTH_EVENT: Authenticated user 'jh' at permission level 'j-super-user'
Jan 30 20:55:17.117 fw mgd[40887]: UI_LOGIN_EVENT: User 'jh' login, class 'j-super-user' [40887], ssh-connection '', client-mode 'junoscript'
Jan 30 20:55:17.133 fw mgd[40887]: UI_JUNOSCRIPT_CMD: User 'jh' used JUNOScript client to run command 'get-configuration compare="rollback" rollback="0" format="text"'
Jan 30 20:55:17.367 fw mgd[40812]: UI_CMDLINE_READ_LINE: User 'jh', command 'show log interactive-commands '
#audit#log#srx300