Mailing List Archive

System Management on Juniper routers.
Hi
I am trying to set a few system management features, and am getting stuck.

When multiple routers are configured to log messages to a single syslog
server,will the syslog server maintain seperate log files for each router.
Because the Junos docs say "When sending messages to a remote host, you can
override the facility. for example, you can configure all messages from a
single router to go to a single log file on the remote host. You can also
configure different routers to send messages to different log files on the
same remote host to, for example, segregate messages
representing different regions of the country". I am really unable to get
the meaning of the command "facility-override".

Also while trying to define user access with sets of privileges, I am
getting stuck when trying to restrict the list of commands that are
available to a user. In this example I define a login class as follows -

login {
class monitor {
permissions [ configure view maintenance ];
}

Now here I would want the user to have an additional command at the
"configuration level" available to him. The command to be available is
"load" So i have defined it as follows in the login class definition -

login {
class monitor {
permissions [ configure view maintenance ];
allow-configuration "(load)";
}

But this does not seem to work, The user with class "monitor" does get a lot
of additional commands such as "commit/rollback" etc, which I would not want
to be available to him.

Do tell me where I am going wrong.

TIA
Neil



_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail
System Management on Juniper routers. [ In reply to ]
Hey Neil,


> When multiple routers are configured to log messages to a single
> syslog server,will the syslog server maintain seperate log files for
> each router.

No, it's up to how you configure the server's syslog file. But default
syslog messages from a Juniper router will most likely end up matching
something in your server's syslog file that's already capturing syslog
messages from other hosts, and probably from processes on the server
itself.

> Because the Junos docs say "When sending messages to a remote host,
> you can override the facility. for example, you can configure all
> messages from a single router to go to a single log file on the remote
> host.

What they mean is that if you specifically wanted your router syslog
messages to be in their own file, as opposed to being mixed together in
the same file with syslogs from processes on the server, and from other
hosts on the network that use that logging server, you could do that.

> You can also configure different routers to send messages to different
> log files on the same remote host to, for example, segregate messages
> representing different regions of the country". I am really unable to
> get the meaning of the command "facility-override".

From "man syslog.conf":

The facility describes the part of the system generating the
message, and
is one of the following keywords: auth, authpriv, cron, daemon,
kern,
lpr, mail, mark, news, syslog, user, uucp and local0 through
local7.

This is how you get syslogd to differentiate between different kinds of
messages. Usually you don't get to specify the facility that a process
uses, it's hard-coded into the software. But "local0 - local7" are
deliberately not used by processes in a given Unix distribution, just
so you can use them to identify certain things that are important to
you. I believe normally messages could come out with any number of
different facilities determined by where they came from. But if you
want to be able to group them together on the log server, you can
override that to one of the "localx" facilities.

> login {
> class monitor {
> permissions [ configure view maintenance ];
> allow-configuration "(load)";
> }
>
> But this does not seem to work, The user with class "monitor" does get
> a lot of additional commands such as "commit/rollback" etc, which I
> would not want to be available to him.

The "configure" permissions set includes numerous commands. However,
many of them are useless if you haven't given the user permission to
edit specific components of the config (the -control permissions). Your
user can probably only do "rollback 0," which is simply undoing an
uncommited change. I'm not sure what help load is w/out commit, btw.

If you want to block some of the commands a permission set allows after
you've given that general permission, you need to specify so, with
"deny-configuration <pattern>" or "deny-command <pattern>". It's common
to see a short allow pattern, and then a deny ".*"

Be careful to anchor your expressions; "allow (load)" would allow a
command that had the string "load" anywhere in it.

Also note that if you don't give permission for any of the -control's,
then anything you load will be rejected anyway.

-Avram

>
> Do tell me where I am going wrong.
>
> TIA
> Neil
>
>
>
> _________________________________________________________________
> Tired of spam? Get advanced junk mail protection with MSN 8.
> http://join.msn.com/?page=features/junkmail
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
System Management on Juniper routers. [ In reply to ]
Hi Avram,

Thanx for the info. If I could just go over a few points in regard, which I
am a little uncertain about -

Avram - No, it's up to how you configure the server's syslog file. But
default syslog messages from a Juniper router will most likely end
up matching something in your server's syslog file that's already
capturing syslog messages from other hosts, and probably from
processes on the server itself.

Neil - You are right.

Avram -What they mean is that if you specifically wanted your router syslog
messages to be in their own file, as opposed to being mixed together in the
same file with syslogs from processes on the server, and from other hosts on
the network that use that logging server, you could do that.

Neil - Yeah, Now if I want the router to initiate it. Is it possible that
the router can tell the syslog server to store its own logged messages, in a
file seperate from other hosts, and routers that log to the same server.
Pardon me if I am asking a very basic question.

Avram - The facility describes the part of the system generating the
message, and is one of the following keywords: auth, authpriv, cron,
daemon, kern,lpr, mail, mark, news, syslog, user, uucp and local0 through
local7. This is how you get syslogd to differentiate between different kinds
of messages. Usually you don't get to specify the facility that a process
uses, it's hard-coded into the software. But "local0 - local7" are
deliberately not used by processes in a given Unix distribution, just so you
can use them to identify certain things
that are important to you. I believe normally messages could come
out with any number of different facilities determined by where they
came from. But if you want to be able to group them together on the
log server, you can override that to one of the "localx" facilities.

Neil - My doubt, is that..if I have say 30 routers logging to the same
syslog server,,Is it possible for each router to tell the syslog server that
individual files need to be maintained for each of them. I have seen a
mention that, the routers could send messaged with a "string" appended to
each message, Now will this help in anyway. Do share ur experiences.

Avram - The "configure" permissions set includes numerous commands. However,
many of them are useless if you haven't given the user permission to edit
specific components of the config (the -control permissions). Your user can
probably only do "rollback 0," which is simply undoing an uncommited change.
I'm not sure what help load is w/out commit,

Neil - You are right, But just from a testing perspective,, I find that when
I define a class with "view/configure" permission, and I set a
deny-configuration to deny the command "load", I still find that the user
gets to be able to load a config..

Restrictions in other hierarchies work fine as given below -

login {
class monitor {
permissions [ configure routing view maintenance ];
deny-configuration "(protocols ospf area 0.0.0.0)|(protocols mpls)";
}
}
But as I said I am unable to restrict the load,commit,rollback commands. Now
do I have to define the restriction for "load/commit" commands, I am unclear
as to which heirarchy the "load/commit" commands come under.

TIA,
Neil

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
System Management on Juniper routers. [ In reply to ]
Neil Fernando writes:
>But as I said I am unable to restrict the load,commit,rollback commands. Now
>do I have to define the restriction for "load/commit" commands, I am unclear
>as to which heirarchy the "load/commit" commands come under.

The allow- and deny-configuration statements accept regular expressions
of statements, not the commands that manipulate them. If you want to allow
someone to touch your configuration, what they touch is more important than
how they touch it.

Thanks,
Phil