[j-nsp] System Management on Juniper routers.

Avram Dorfman avram@juniper.net
Sat, 7 Dec 2002 11:40:01 -0500

Hey Neil,

> When multiple routers are configured to log messages to a single 
> syslog server,will the syslog server maintain seperate log files for 
> each router.

No, it's up to how you configure the server's syslog file. But default 
syslog messages from a Juniper router will most likely end up matching 
something in your server's syslog file that's already capturing syslog 
messages from other hosts, and probably from processes on the server 

> Because the Junos docs say "When sending messages to a remote host, 
> you can override the facility. for example, you can configure all 
> messages from a single router to go to a single log file on the remote 
> host.

What they mean is that if you specifically wanted your router syslog 
messages to be in their own file, as opposed to being mixed together in 
the same file with syslogs from processes on the server, and from other 
hosts on the network that use that logging server, you could do that.

> You can also configure different routers to send messages to different 
> log files on the same remote host to, for example, segregate messages
> representing different regions of the country". I am really unable to 
> get the meaning of the command "facility-override".

 From "man syslog.conf":

      The facility describes the part of the system generating the 
message, and
      is one of the following keywords: auth, authpriv, cron, daemon, 
      lpr, mail, mark, news, syslog, user, uucp and local0 through 

This is how you get syslogd to differentiate between different kinds of 
messages. Usually you don't get to specify the facility that a process 
uses, it's hard-coded into the software. But "local0 - local7" are 
deliberately not used by processes in a given Unix distribution, just 
so you can use them to identify certain things that are important to 
you. I believe normally messages could come out with any number of 
different facilities determined by where they came from. But if you 
want to be able to group them together on the log server, you can 
override that to one of the "localx" facilities.

> login {
>    class monitor {
>        permissions [ configure view maintenance ];
>        allow-configuration "(load)";
>    }
> But this does not seem to work, The user with class "monitor" does get 
> a lot of additional commands such as "commit/rollback" etc, which I 
> would not want to be available to him.

The "configure" permissions set includes numerous commands. However, 
many of them are useless if you haven't given the user permission to 
edit specific components of the config (the -control permissions). Your 
user can probably only do "rollback 0," which is simply undoing an 
uncommited change. I'm not sure what help load is w/out commit, btw.

If you want to block some of the commands a permission set allows after 
you've given that general permission, you need to specify so, with 
"deny-configuration <pattern>" or "deny-command <pattern>". It's common 
to see a short allow pattern, and then a deny ".*"

Be careful to anchor your expressions; "allow (load)" would allow a 
command that had the string "load" anywhere in it.

Also note that if you don't give permission for any of the -control's, 
then anything you load will be rejected anyway.


> Do tell me where I am going wrong.
> Neil
> _________________________________________________________________
> Tired of spam? Get advanced junk mail protection with MSN 8. 
> http://join.msn.com/?page=features/junkmail
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp