Tag Archives: SYSLOG

Graylog Syslog Input Failed to start on port 514

Probably you are having the same issue as me, so let me clarify. You can use lower ports when you run Graylog as root, since this is not the case how can we fix this? The catch is redirecting traffic from a different port 1514 to port 514 UDP/TCP.

Assuming that you are using Two Input Streams

[email protected]:~$ sudo iptables -t nat -A PREROUTING -p tcp –dport 514 -j REDIRECT –to 1514
[email protected]:~$ sudo iptables -t nat -A PREROUTING -p udp –dport 514 -j REDIRECT –to 1514

[email protected]:~$ netstat -nutlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN –
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN –
tcp6 0 0 :::22 :::* LISTEN –
tcp6 0 0 10.4.252.246:9000 :::* LISTEN –
udp 0 0 127.0.0.53:53 0.0.0.0:* –
udp6 0 0 :::1514 :::* –
udp6 0 0 :::1514 :::* –
udp6 0 0 :::1514 :::* –
udp6 0 0 :::1514 :::* –
udp6 0 0 :::1514 :::* –
udp6 0 0 :::1514 :::* –
udp6 0 0 :::1514 :::* –

[email protected]:~$ sudo iptables-save
# Generated by iptables-save v1.6.1 on Tue Jul 23 13:04:56 2019
*nat
:PREROUTING ACCEPT [33:2312]
:INPUT ACCEPT [84:11215]
:OUTPUT ACCEPT [33:2344]
:POSTROUTING ACCEPT [33:2344]
-A PREROUTING -p udp -m udp –dport 514 -j REDIRECT –to-ports 1514
-A PREROUTING -p tcp -m tcp –dport 514 -j REDIRECT –to-ports 1514
COMMIT
# Completed on Tue Jul 23 13:04:56 2019
# Generated by iptables-save v1.6.1 on Tue Jul 23 13:04:56 2019
*filter
:INPUT ACCEPT [111065:37834236]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [106771:36862434]
COMMIT
# Completed on Tue Jul 23 13:04:56 2019

Below you can confirm if the Policy is working, in this case the Chain OUTPUT.

[email protected]:~$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 124K packets, 42M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 119K packets, 41M bytes)
pkts bytes target prot opt in out source destination

Notas estudo JNCIA-Junos parte 3

Interface Overview

fxp0 e me0 para management

fxp1 e em0 para a internal (interligação entre o Control e Forwarding Plane)

Interface Naming

es: Encryption interface;
gr: Generic route encapsulation tunnel interface;
ip: IP-over-IP encapsulat ion tunnel interface;
ls: Link services interface;
ml: Multilink interface;
mo: Passive monitoring interface;
mt: Multicast tunnel interface;
sp: Adaptive services interface;
vt: Virtual loopback tunnel interface.
lo0 : Loopback interface;
ae: Aggregated Ethernet interface;
as : Aggregated SONET interface;
vlan : VLAN interface

Algumas das interfaces internas criadas (não configuráveis)pelo JunOS:
• gre
• mtun
• ipip
• tap

FPC – Flexible PIC Concentrator
Line card (FPC) slot number
Interface card (PIC) slot number
Nota: A numberacao dos slots/portas comeca em 0
ge-0/2/3 = porta 3 na PIC slot 2 na PFC slot 0

Logical Units

Consideradas como subinterfaces, podem ter mais do que uma family pexemplo inet e inet6

Configurar Autenticação

Suporta Radius e Tacacs+

Definir uma class com privilégios

Existem 4 class por defeito operator,read-only,super-user e unauthorized
Um user só pode ser atribuído a uma class

set system login class juniper permissions reset permissions view permissions view-configuration
set system login user walter class juniper

Nota: A permissão de reset permite reiniciar processos, mas não fazer reboot pexemplo

[email protected]> show configuration
## Last commit: 2014-05-25 17:11:18 WEST by root
version /* ACCESS-DENIED */;
/* nao mudem o NTP */
system { /* ACCESS-DENIED */ };
/* n mudem interface */
interfaces { /* ACCESS-DENIED */ };
protocols { /* ACCESS-DENIED */ };

Definição do Radius Server

[email protected]#  set system radius-server 10.10.10.10  secret  Juniper
[edit]
[email protected]#  set system authentication-order radius tacplus+
[edit]
[email protected]#  commit

Pelo menos um dos métodos de authentication-order deve responder (alive), caso contrário é feita autenticação local

R1 (ttyp0)

login: nancy
Password:
Local password:

Logging

By default o ficheiro de logging primário e /var/messages

O syslog pode ser definido através dos comandos:

edit system syslog
edit routing-options options syslog

set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file config-changes change-log info
set system syslog host 10.1.1.1 any notice
set system syslog host 10.1.1.1 authorization info

Interpretar as mensagens do syslog

Timestamp, Host , Process ou PID , message code, message text

May 26 14:27:17  R1 mgd[1366]: UI_COMMIT_PROGRESS: Commit operation in progress:  notifying eventd(80)
commit complete

Para incluir a Severity é necessário configurar o comando explicit-priority
set system syslog file messages explicit-priority

May 26 14:38:13  R1 mgd[1366]: %INTERACT-6-UI_COMMIT_PROGRESS: Commit operation in progress: notifying daemons of new configuration

É possível obter ajuda na interpretação de uma mensagem de log através da própria CLI

[email protected]# help syslog UI_COMMIT_PROGRESS
Name:          UI_COMMIT_PROGRESS
Message:       Commit operation in progress:
Help:          mgd recorded step in commit operation
Description:   As it performed a commit operation, the management process (mgd)
recorded its execution of the indicated step.
Type:          Event: This message reports an event, not an error
Severity:      info

Traceoptions

*Equivalente ao Debug em Cisco*

O JunOS permite enviar o tracing para ficheiro/syslog

Para redefinir um syslog server diferente usar:

set system tracing destination-override syslog host 10.1.1.2

Exemplo Tracing Hello OSPF

O size pode ser representado por K,M,G indicando (KB, MB e GB)
Cao o trace exceda o size, o ficheiro é divido no numero de ficheiros indicados começando em trace-file.0 trace-file.1 …

set protocols ospf traceoptions file ospf-trace
set protocols ospf traceoptions file size 128m
set protocols ospf traceoptions file files 10
set protocols ospf traceoptions file world-readable
set protocols ospf traceoptions flag hello detail
set protocols ospf traceoptions flag error detail
set protocols ospf traceoptions flag event detail

[email protected]# run file show /var/log/ospf-trace
May 26 14:52:47 trace_on: Tracing to “/var/log/ospf-trace” started
May 26 14:52:47.821578 Interface em5.101 area 0.0.0.0 event NeighborChange
May 26 14:52:47.835103 IFL em5.32767 iflchange 0x0
May 26 14:52:47.836167 IFL em5.110 iflchange 0x0
May 26 14:52:47.836334 IFL em5.102 iflchange 0x0
May 26 14:52:47.836498 IFL em5.101 iflchange 0x0
May 26 14:52:47.836643 IFL em5.0 iflchange 0x0
May 26 14:52:47.836793 IFL lo0.16385 iflchange 0x0
May 26 14:52:47.836891 IFL lo0.16384 iflchange 0x0
May 26 14:52:47.837115 IFL lo0.0 iflchange 0x0
*
*(omitido)
*
May 26 14:52:47.867410 OSPF updated PPM interface IFL 84, addr 172.20.110.1, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0
May 26 14:52:47.867614 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.867816 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.868182 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.873156 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)

Operadores AND e OR

Operador AND
[email protected]# run show log messages | find “May 26” | match “error”

Operador OR
[email protected]# run show log messages | match “May 26” | match “error|kernel”

Monitorizar as mensagens de log
[email protected]>  monitor start messages | match fail

Parar de receber mensagens
[email protected]>  monitor stop

NTP

set system ntp server 10.10.10.10
set system ntp boot-server 10.10.10.10

[email protected]# run show ntp associations
remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*10.10.10.10         .INIT.          16 –  395 1024    0    0.000    0.000 4000.00

O * significa que é o host selecionado para sincronização
Archiving

Realizar backups via FTP/SCTP da configuração após commit, o uso de vários destinos permite  que caso o site primário falhe seja usado o 2 site e assim em diante

set system archival configuration transfer-on-commit
set system archival configuration archive-sites “ftp://[email protected]:/archive” password #FAZER!SEMPRE_BACKUP#
set system archival configuration archive-sites “sctp://[email protected]:/archive” password #FAZER!SEMPRE_BACKUP#

[email protected]# commit
[email protected]# run show log messages | match ftp
May 26 16:11:40  R1 fetch: %DAEMON-3: fetch: ftp://[email protected]:*: No route to host

As copias dos ficheiros são guardadas em /var/transfer/config

[email protected]# run file list /var/transfer/config/ detail

/var/transfer/config/:
total 28
-rw-r—–  1 root  wheel       1101 May 26 16:10 R1_juniper.conf.gz_20140526_151053
-rw-r—–  1 root  wheel       1101 May 26 16:11 R1_juniper.conf.gz_20140526_151127
-rw-r—–  1 root  wheel       1101 May 26 16:12 R1_juniper.conf.gz_20140526_151206
-rw-r—–  1 root  wheel       1101 May 26 16:12 R1_juniper.conf.gz_20140526_151254
-rw-r—–  1 root  wheel       1187 May 26 16:23 R1_juniper.conf.gz_20140526_152319

Para realizar backups regulares da config usar:

Nota: A cada 24 Horas (1440 minutos)

set system archival configuration transfer-interval 1440

SNMP

set snmp location LISDC-Rack122
set snmp contact “ip@cocheno.com”
set snmp community JUNIPER
set snmp trap-options source-address lo0
set snmp trap-group group-SNMP categories link
set snmp trap-group group-SNMP categories routing
set snmp trap-group group-SNMP targets 10.10.10.10
set snmp trap-group group-SNMP targets 10.10.10.11
set snmp trap-group group-SNMP version v2
set snmp community JUNIPER clients 192.168.20.0/24

Efetuar uma snmp walk (permite fazer decimal e ascii)

[email protected]> show snmp mib walk jnxOperatingDescr
jnxOperatingDescr.1.1.0.0 = midplane
jnxOperatingDescr.2.1.0.0 = PEM 0
jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1

Referências:

Notas estudo JNCIA-Junos parte 1

Notas estudo JNCIA-Junos parte 2