juniper syslog日志记录

 

详细日志的关键字可以通过https://apps.juniper.net/syslog-explorer/查询

查询日志可通过命令show log XXX显示 ，其中XXX为文件名

set security log mode stream
set security log report

为了记录日志发生时间的准确性，建议首先设置好ntp服务器
set system ntp server cn.pool.ntp.org

记录接口up down状态
set system syslog file interfaces-logs any any
set system syslog file interfaces-logs match ifOperStatus

VPN日志记录
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD

用户命令执行记录
set system syslog file interactive-commands interactive-commands any

用户认证记录（所有）
set system syslog file auth.log authorization info

用户认证成功记录
set system syslog file auth_success.log authorization info
set system syslog file auth_success.log match "Accepted| LOGIN_INFORMATION"

用户修改记录
set system syslog file change.log change-log info

记录dynamic vpn用户认证记录
Set system syslog file dyn_success.log any any
Set system syslog file dyn_success.log match "DYNAMIC_VPN| FWAUTH| KMD_VPN_UP_ALARM_USER"

记录ping对端IP不可达
set system syslog file ping_to_GZ any any
set system syslog file ping_to_GZ match "PING_TEST_FAILED| PING_PROBE_FAILED"

set services rpm probe prob test ping_test_to_GZ target address 192.168.12.12
set services rpm probe prob test ping_test_to_GZ probe-count 5
set services rpm probe prob test ping_test_to_GZ probe-interval 1
set services rpm probe prob test ping_test_to_GZ test-interval 2
set services rpm probe prob test ping_test_to_GZ thresholds successive-loss 2
set services rpm probe prob test ping_test_to_GZ thresholds total-loss 4

记录会话日志
set system syslog file traffic-log any any
set system syslog file traffic-log match "RT_FLOW_SESSION"
策略中要加上session-init或session-close \ couunt

 

set system syslog file policy_session user info
set system syslog file policy_session match RT_FLOW
set system syslog file policy_session archive size 1000k
set system syslog file policy_session archive world-readable
set system syslog file policy_session structured-data

将syslog发送到远程日志服务器
Set system syslog host 192.168.0.123 any any

记录IDP日志
set system syslog file IDP_Log any any
set system syslog file IDP_Log match "RT_IDP"