[j-nsp] Show me all the system syslog things!

Thu Mar 21 16:41:04 EDT 2019

Our 'messages' content is pretty minimal. We try to keep as little data in one lump on the device(s) to make auditing easier.
If we need to login to the device to check something, we want to find an answer quick. If we have time or it's looking like a far more complex problem, then we can scrape the syslog store.

We aren't watching ldp/lldp/isis/bfd by means of forwarding via syslog, but the following catches the things 'we' care about, while cutting down on 99.9% of the noise of which we don't.
Things it doesn't catch, we fudge with event-options, I'm sure you could probably do the same to give you better control rather than leaning on the built-in priorities.
Since we use TACACS+, all our command accounting goes there. In light of this, only config items that have been changed, but creates a nice audit trail by itself (who did what where, when...).  Maybe you would want that to go to a dedicated file if you're not running any centralized AAA...
I would strongly encourage the use of the 'allow-duplicates' in the syslog root to avoid "last message repated 'n' times" from obscuring bigger problems.

We also log things like interface events directly to the device for ease of troubleshooting. I only show the one example to give some idea how it may suit your needs.

syslog { 
 host foobar {
  any emergency;
  authorization warning;
  daemon warning;
  kernel critical;
  change-log any;
  explicit-priority;
 }
 file messages {
  any critical;
  authorization info;
 }
 allow-duplicates;
 file interfaces {
  any any;
  match SNMP_TRAP_LINK;
 }
}

event-options {
 policy PROTOCOL-STATE-OVERRIDE {
  events [ rpd_ospf_nbrdown rpd_ospf_nbrup rpd_bgp_neighbor_state_changed ];
   then {
    priority-override {
     severity warning;
    }
   }
 }
}

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Jason Lixfeld
Sent: Thursday, March 21, 2019 12:10 PM
To: juniper-nsp
Subject: [j-nsp] Show me all the system syslog things!

Hi,

I’m looking for some ideas about configuring syslog.

Starting from the bare-minumum syslog config, and log-updown in BGP:

jlixfeld at lab# show system syslog
user * {
    any emergency;
}
host 10.219.51.130 {
    any info;
}
file messages {
    any info;
}
time-format year millisecond;

The messages file produces a great set of useful logs for day-to-day operations and monitoring:  up/down for LDP, LLDP, ISIS, BFD, interface, BGP and also executed CLI commands (mgd UI_CMDLINE_READ_LINE).  It’s great.

However, an enormous amount of logs from mgd (UI_*), chassisd, and a bunch of other processes are also caught in this messages file, and while it’s definitely useful to capture, it doesn’t need to be in the same file as the day-to-day stuff.  I’m sure others have constructed some useful syslog configs for separating these day-to-day messages into one file, and other stuff into other file(s).  I’m interested in seeing other people’s work for some inspiration on how I can construct a useful set of files myself.

Anyone care to share?

Thanks in advance!
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp