How to Dig into Junos Syslog Messages

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

The most important aspect of logging is understanding what and when something is logged. Events across the entire system, covering both hardware and software conditions, are included in the Junos OS software syslog repertoire:

  • Every time the device is accessed, queried, or modified

  • Every time a process starts, fails, or restarts

  • Every physical threshold that is reached (temperature within the chassis, CPU utilization, fan speed, and so on)

  • Various system conditions that affect or reflect the operation of the device

These events are divided into different categories, called syslog facilities. Each of these facilities is assigned a facility code, which ties a particular message to the syslog facility.

Junos Syslog Facility Facility Code Event Source
Any None Any facility
Authorization AUTH, AUTHPRIV Authentication and authorization attempts
change-log CHANGE Configuration changes on the router
conflict-log CONFLICT Configuration changes that are in conflict with the
router’s hardware
CONSOLE Kernel messages to the console
CRON Scheduled processes
Daemon DAEMON Individual JUNOS software processes
Firewall FIREWALL Packet filtering performed by firewall filters
ftp FTP FTP activities
interactive-commands INTERACT Commands executed from the CLI or through the XML API
Kernel KERNEL JUNOS kernel
NTP Network Time Protocol process
Pfe PFE Packet forwarding engine
SYSLOG System logging
User USER User processes

Each of these syslog facilities contains many different syslog events. To help differentiate among these events, in addition to the facility, each event is assigned a severity level.

Severity Name Severity Number Severity Description
any None All severity levels
none None No severity levels
debug 7 Information to be used for debugging
info 6 Informational events about normal operations
notice 5 Conditions that aren’t errors but are of more interest
than normal operations
warning 4 General warnings for significant events
error 3 General errors
critical 2 Critical errors, including hardware failures
alert 1 Errors that require immediate intervention
emergency 0 Conditions that stop router function

All syslog messages contain both the facility and the severity. When searching through the hundreds, or even thousands, of log messages, you can match on these two values so that you can quickly identify the information you need when monitoring your network.

Here’s what a syslog event looks like:

Nov 2 19:02:49 router mgd[8039]: UI_LOAD_EVENT: User 'michael' is performing
    a 'rollback 2'

In addition, this syslog event contains these key pieces of information:

  • Timestamp: The system time at which the event occurred.

  • Router name: The configured name of the router.

  • Process information: The name of the process that generated the syslog event, including the process ID to uniquely identify the particular instance of the process. In this example, it was the MGD instance with process ID 8039.

  • Syslog message: The syslog message, including the event name and relevant information to the event. In this example, the user michael has issued a rollback 2 command on the router.

You can send syslog messages to a number of places. You can view them in real time by sending them to a console, store them in files on the device so you can look through them later, and even store all the syslog messages from all your devices on a single syslog server so you can go to a single place to monitor your network.

The timestamp associated with each syslog message doesn’t indicate the time zone in which the device resides. If you have multiple devices across more than one time zone, remembering and translating the different times complicates your analysis.

To simplify this kind of log perusal, configure the system time on each device using coordinated Universal Time Clock (UTC). If all the devices are configured within the same time zone, all the timestamps will show the same time, making your life much simpler when it comes to wading through log files.