How to Dig into Junos Syslog Messages
The most important aspect of logging is understanding what and when something is logged. Events across the entire system, covering both hardware and software conditions, are included in the Junos OS software syslog repertoire:
Every time the device is accessed, queried, or modified
Every time a process starts, fails, or restarts
Every physical threshold that is reached (temperature within the chassis, CPU utilization, fan speed, and so on)
Various system conditions that affect or reflect the operation of the device
These events are divided into different categories, called syslog facilities. Each of these facilities is assigned a facility code, which ties a particular message to the syslog facility.
|Junos Syslog Facility||Facility Code||Event Source|
|Authorization||AUTH, AUTHPRIV||Authentication and authorization attempts|
|change-log||CHANGE||Configuration changes on the router|
|conflict-log||CONFLICT||Configuration changes that are in conflict with the router’s hardware|
|CONSOLE||Kernel messages to the console|
|Daemon||DAEMON||Individual JUNOS software processes|
|Firewall||FIREWALL||Packet filtering performed by firewall filters|
|interactive-commands||INTERACT||Commands executed from the CLI or through the XML API|
|NTP||Network Time Protocol process|
|Pfe||PFE||Packet forwarding engine|
Each of these syslog facilities contains many different syslog events. To help differentiate among these events, in addition to the facility, each event is assigned a severity level.
|Severity Name||Severity Number||Severity Description|
|any||None||All severity levels|
|none||None||No severity levels|
|debug||7||Information to be used for debugging|
|info||6||Informational events about normal operations|
|notice||5||Conditions that aren’t errors but are of more interest than normal operations|
|warning||4||General warnings for significant events|
|critical||2||Critical errors, including hardware failures|
|alert||1||Errors that require immediate intervention|
|emergency||0||Conditions that stop router function|
All syslog messages contain both the facility and the severity. When searching through the hundreds, or even thousands, of log messages, you can match on these two values so that you can quickly identify the information you need when monitoring your network.
Here’s what a syslog event looks like:
Nov 2 19:02:49 router mgd: UI_LOAD_EVENT: User 'michael' is performing a 'rollback 2'
In addition, this syslog event contains these key pieces of information:
Timestamp: The system time at which the event occurred.
Router name: The configured name of the router.
Process information: The name of the process that generated the syslog event, including the process ID to uniquely identify the particular instance of the process. In this example, it was the MGD instance with process ID 8039.
Syslog message: The syslog message, including the event name and relevant information to the event. In this example, the user michael has issued a rollback 2 command on the router.
You can send syslog messages to a number of places. You can view them in real time by sending them to a console, store them in files on the device so you can look through them later, and even store all the syslog messages from all your devices on a single syslog server so you can go to a single place to monitor your network.
The timestamp associated with each syslog message doesn't indicate the time zone in which the device resides. If you have multiple devices across more than one time zone, remembering and translating the different times complicates your analysis.
To simplify this kind of log perusal, configure the system time on each device using coordinated Universal Time Clock (UTC). If all the devices are configured within the same time zone, all the timestamps will show the same time, making your life much simpler when it comes to wading through log files.