[j-nsp] System Management on Juniper routers.

Neil Fernando neilfernandok@hotmail.com
Sun, 08 Dec 2002 14:49:30 +0000 

Hi Avram,

Thanx for the info. If I could just go over a few points in regard, which I 
am a little uncertain about -

Avram - No, it's up to how you configure the server's syslog file. But
default syslog messages from a Juniper router will most likely end
up matching something in your server's syslog file that's already
capturing syslog messages from other hosts, and probably from
processes on the server itself.

Neil - You are right.

Avram -What they mean is that if you specifically wanted your router syslog 
messages to be in their own file, as opposed to being mixed together in the 
same file with syslogs from processes on the server, and from other hosts on 
the network that use that logging server, you could do that.

Neil - Yeah, Now if I want the router to initiate it. Is it possible that 
the router can tell the syslog server to store its own logged messages, in a 
file seperate from other hosts, and routers that log to the same server. 
Pardon me if I am asking a very basic question.

Avram - The facility describes the part of the system generating the
message, and is one of the following keywords: auth, authpriv, cron,
daemon, kern,lpr, mail, mark, news, syslog, user, uucp and local0 through 
local7. This is how you get syslogd to differentiate between different kinds 
of messages. Usually you don't get to specify the facility that a process 
uses, it's hard-coded into the software. But "local0 - local7" are 
deliberately not used by processes in a given Unix distribution, just so you 
can use them to identify certain things
that are important to you. I believe normally messages could come
out with any number of different facilities determined by where they
came from. But if you want to be able to group them together on the
log server, you can override that to one of the "localx" facilities.

Neil - My doubt, is that..if I have say 30 routers logging to the same 
syslog server,,Is it possible for each router to tell the syslog server that 
individual files need to be maintained for each of them. I have seen a 
mention that, the routers could send messaged with a "string" appended to 
each message, Now will this help in anyway. Do share ur experiences.

Avram - The "configure" permissions set includes numerous commands. However, 
many of them are useless if you haven't given the user permission to edit 
specific components of the config (the -control permissions). Your user can 
probably only do "rollback 0," which is simply undoing an uncommited change. 
I'm not sure what help load is w/out commit,

Neil - You are right, But just from a testing perspective,, I find that when 
I define a class with "view/configure" permission, and I set a 
deny-configuration to deny the command "load", I still find that the user 
gets to be able to load a config..

Restrictions in other hierarchies work fine as given below -

login {
    class monitor {
        permissions [ configure routing view maintenance ];
        deny-configuration "(protocols ospf area 0.0.0.0)|(protocols mpls)";
    }
  }
But as I said I am unable to restrict the load,commit,rollback commands. Now 
do I have to define the restriction for "load/commit" commands, I am unclear 
as to which heirarchy the "load/commit" commands come under.

TIA,
Neil

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail