在開始閱讀之前請先參考下列之網路連結:
系統日誌是用於在本地或指定的遠程服務器上記錄系統信息的行業標準方法。日誌記錄對於設備安全至關重要,因為它記錄了系統的大小活動,可幫助您識別配置錯誤,了解入侵,解決服務中斷以及對探測和掃描作出反應。
如果沒有生成日誌記錄的能力,建立、關聯、調查或識別事件發生相關訊息就會變了很困難。
Junos設備平台具有合理的 flash 儲存空間,可用於本地系統日誌的儲存,並通過遠端系統日誌伺服器來保留本地的系統日誌以增強安全性。一般的經驗法則是,遠程日誌用於取證目的,本地日誌用於故障排除。
您還可以創建包含不同類型日誌消息的本地日誌文件。例如您想讓某些用戶(如審計員)能夠查看某些消息類型(如用戶已執行的命令),但不允許一般用戶來查看這些日誌時,這將會是非常有用的方法。
Juniper SRX服務網關必須為DoD(美國國防部)定義的可審計事件啟用生成日誌記錄。DoD已經定義了設備將提供審計記錄生成能力的事件列表。這些事件如下所述:
(一)成功或不成功的嘗試訪問、修改或刪除事件等。
(二)訪問操作,例如成功和不成功的登錄嘗試,特權活動或其他系統級訪問,用戶訪問系統的開始和結束時間,來自不同工作站的並發登錄,成功和不成功訪問對象,所有程式啟動,和所有直接訪問資訊系統。
(三)所有帳戶的創建、修改、禁用和終止操作。
配置外部Syslog伺服器的最佳做法是在日誌檔案名稱中添加
log-prefixes
以幫助識別和研究。因為通常將訊息送往遠程服務器的設備不只一台,這是為了避免混淆的緣故。
另一個最佳做法是添加匹配條件並將記錄的事件儲存在個別的檔案中。這樣可以降低問題查找的困難度,並讓權限控管變得更簡單。
自動機制可用於發送自動警報或通知。這種自動警報或通知可以以各種方式傳送(例如,通過電話,通過電子郵件,通過文本消息或通過網站)。
檢查系統日誌Syslog是否已配置為在SRX設備上。
show system syslog
在以下配置中,讓我們配置本地和遠程Syslog,以及在不同日誌文件中分隔特定的消息類型。
※ 當檢測到組件故障時,Juniper SRX服務網關必須生成警報或向管理主控台發送警報消息,登錄的用戶在登錄設備時應該會收到警報消息:
set system syslog user * any emergency
set system syslog user * daemon critical
set system syslog user * daemon alert
※ 任何信息性(info)消息都應該記錄在設備本地的 messages 文件中,對於本地日誌檔,必須要求分配日誌存儲容量,以便日誌檔不會增長到導致操作問題的大小:
set system syslog file messages any info
set system syslog file messages authorization info
set
system syslog file messages archive size 30m files 3
以下為查看syslog共有哪些選項可以配置:
root@srx100# set system syslog ?
Possible completions:
allow-duplicates Do not suppress the repeated message for
all targets
+ apply-groups Groups
from which to inherit configuration data
+ apply-groups-except Don't
inherit configuration data from these groups
> archive
Archive file information
> console Console logging
> file File
in which to log data
> host Host
to be notified
log-rotate-frequency Rotate log frequency (1..59 minutes)
source-address Use specified address as source address
> time-format Additional information to include in
system log timestamp
> user Notify
a user of the event
[edit]
※ 我們創建一個名為 User-Auth 的單獨文件,其中包含所有授權信息以及登錄用戶發出的任何命令:
set system syslog file User-Auth authorization any
set system syslog file User-Auth interactive-commands
any
set
system syslog file User-Auth archive size 20m files 2
※ 現在讓我們創建另一個名為
account-actions 的本地文件,其中包含所有帳戶創建,修改,禁用和終止操作:
set system syslog file account-actions change-log any
any
set system syslog file account-actions match "system
login user"
set
system syslog file account-actions archive
size 10m files 2
※ 現在創建另一個本地文件,稱為processes,其中包含由系統守護進程生成的日誌消息:
set system syslog file processes daemon any
set
system syslog file processes archive size 10m files 2
※ 在控制台(console
port)上連接時,看到系統消息意識到設備的當前狀態會很有幫助。將系統日誌Syslog輸出顯示在SRX設備console port上,並設定輸出訊息等級為warning (設定warning是為了避免控制台出現太多無用訊息)。
set system syslog console any warning
※ 在高安全性環境中,建議將所有消息發送到遠程Syslog服務器以達到審計(auditing)和取證(forensic)的目的。 同時確保配置兩個Syslog服務器以實現永續性的目的。為SRX設備配置外部Syslog伺服器可降低安全維護上的風險,無論是設備本身故障了,或是被駭客入侵並清除設備上的系統日誌,我們依然能從外部Syslog伺服器上來找尋相關訊息。
set system syslog host 192.168.3.2 any any
set system syslog host 192.168.4.2 any any
※ 默認情況下,主機名不包含在發送到遠程服務器的Syslog消息中。 因為通常將訊息送往遠程服務器的設備不只一台,為了避免混淆,建議您在每條Syslog消息中使用唯一識別名稱(如主機名)來配置日誌前綴列表(log-prefix)選項:
set system syslog host 192.168.3.2 log-prefix SRX210
set system syslog host 192.168.4.2 log-prefix SRX210
※ (可選)為了保持一致性和彈性,Syslog流量應該來自環回地址。 如果未配置set system default-address selection,請使用此命令:
set system syslog source-address 192.168.5.1
※ 在某些情況下,標準時間格式可能不如您需要進行計算機取證調查或故障排除那樣精確。 配置毫秒和年份選項以使時間戳盡可能精確:
set system syslog time-format millisecond year
※ 查看系統日誌配置:
show system syslog
※ 如何設定SRX Kapersky AV病毒防護的系統日誌syslog
在開始之前我們要先分析Kapersky AV會產生哪些訊息,下列為訊息範例:
AV_HUGE_FILE_DROPPED_MT LOG_PFE,Skip
antivirus scanning and drop the received traffic due to huge file
AV_HUGE_FILE_NOT_SCANNED_MT LOG_PFE,Skip
antivirus scanning and pass the received traffic due to huge file
AV_MANY_MSGS_DROPPED_MT LOG_PFE,Drop the
received file due to excessive traffic
AV_MANY_MSGS_NOT_SCANNED_MT LOG_PFE,Skip
antivirus scanning due to excessive traffic
AV_PATTERN_GET_FAILED LOG_FIREWALL,The
device was unable to retrieve an antivirus pattern file from the server
AV_PATTERN_KEY_EXPIRED LOG_FIREWALL,Unable
to download the antivirus pattern file,because
the antivirus license key has been expired
AV_PATTERN_KL_CHECK_FAILED LOG_FIREWALL,The
device is unable to use Kaspersky's pattern file
AV_PATTERN_TOO_BIG LOG_FIREWALL,The
pattern file size specified in the server initialization file exceeds the limit
AV_PATTERN_UPDATED LOG_FIREWALL,The
internal antivirus scanner successfully updated the antivirus pattern file
AV_PATTERN_WRITE_FS_FAILED LOG_FIREWALL,The
device is unable to save contents of an antivirus pattern file
AV_SCANNER_DROP_FILE_MT LOG_PFE,Drop the
received traffic due to an internal error of antivirus scanner
AV_SCANNER_ERROR_SKIPPED_MT LOG_PFE,Skip
antivirus scanning due to an internal error
AV_SCANNER_READY
LOG_FIREWALL,The antivirus scan engine is ready
AV_VIRUS_DETECTED_MT LOG_PFE,The antivirus
scanner detected a virus
Kapersky AV所產生的系統日誌訊息開頭都有"AV_"字串,當偵測到病毒時所產生的系統日誌訊息都有"
AV_VIRUS_DETECTED_MT "字串,因此我們規劃將偵測到病毒的訊息存入AV_VIRUS檔案中,其他的訊息存入AV_OPS檔案中,以方便我們查找相關訊息。
set system syslog file AV_VIRUS any any
set system syslog file AV_VIRUS match "AV_VIRUS_DETECTED_MT"
set system syslog file AV_VIRUS archive size 1m files 3
set system syslog file AV_OPS any any
set system syslog file AV_OPS match "(AV_HUGE|AV_MANY|AV_PATTERN|AV_SCANNER)"
set system syslog file AV_OPS archive size 1m files 3
set system syslog host 192.168.1.3 port 514
set system syslog host 192.168.1.3 any any
本段我們設定的內容如下:
security {
syslog {
host 192.168.1.3 {
any any;
port 514;
}
file AV_VIRUS {
any any;
match "
AV_VIRUS_DETECTED_MT ";
archive size 1m files 3;
}
file AV_OPS {
any any;
match
"(AV_HUGE|AV_MANY|AV_PATTERN|AV_SCANNER)";
archive size 1m files 3;
}
}
}
當我們要查看儲存檔案中的系統日誌訊息時:
root@srx100> show log AV_VIRUS
Feb 24 01:42:18 srx100 RT_UTM:
AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected:
from 213.211.198.62:80 to
192.168.1.2:50150 source-zone untrust www.eicar.org/d
ownload/eicarcom2.zip file
www.eicar.org/download/eicarcom2.zip/eicar_com.zip/ei
car.com virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Te
st-File username N/A roles N/A
Feb 24 03:42:15 srx100 RT_UTM:
AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected:
from 213.211.198.62:80 to
192.168.1.2:50887 source-zone untrust www.eicar.org/d
ownload/eicar_com.zip file www.eicar.org/download/eicar_com.zip/eicar.com
virus
EICAR-Test-File
URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File userna
me N/A roles N/A
root@srx100>
當系統日誌伺服器的通信丟失時
※ 如果與系統日誌伺服器的通信丟失,則瞻博網絡SRX服務網關必須繼續在本地對日誌記錄進行排隊。當網絡設備面臨無法按需處理日誌的風險時,要採取措施減輕故障是至關重要的。日誌處理失敗包括:軟件/硬體錯誤、日誌捕獲機制中的失敗、審核存儲容量達到或超過時等。對日誌失敗的響應取決於失敗模式的性質。考慮到Juniper SRX在企業中的作用,可用性是首要考慮因素,因此在發生日誌處理失敗時,系統不能配置為關閉。系統將配置為將事件記錄到本地檔,這將提供日誌備份。如果與Syslog伺服器的通信丟失或伺服器發生故障,網絡設備必須繼續在本地對日誌記錄進行排隊。在恢復到集中式收集伺服器的連接時,應採取措施將本地日誌數據與收集伺服器同步。最佳做法是將日誌前綴添加到日誌檔案名中,以幫助研究事件和過濾器以防止日誌過載。另一個最佳做法是添加匹配條件以將記錄的事件限制為包含正則表達式(REGEX)的事件。因此,瞻博網絡SRX將固有地和持續地捕獲本地檔的事件,以防止與主要和次要事件伺服器的連接中斷。
下列為當事件伺服器的通信丟失時對日誌設定的應變處理:
set system syslog file messages any info
set system syslog file messages authorization none
set system syslog file messages interactive-commands none
set system syslog file messages daemon none
set system syslog file User-Auth authorization any
set system syslog file interactive-commands
interactive-commands any
set system syslog file processes daemon any
set system syslog file account-actions change-log any
set system syslog file account-actions match
"system login user"
set system syslog console any any
root@srx100# set system syslog file ?
Possible
completions:
<file-name> Name of file in which to log data
authorization Name of file in which to log data
configuration Name of file in which to log data
interactive-commands Name of file in which to log data
messages Name of file in which to log data
traffic-log Name of file in which to log data
[edit]
root@srx100# set system syslog file account-actions ?
Possible
completions:
allow-duplicates Do not suppress the repeated message
any All facilities
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
>
archive Archive file
information
authorization Authorization system
change-log Configuration change log
conflict-log Configuration conflict log
daemon Various system processes
dfc Dynamic flow capture
explicit-priority Include priority and facility in messages
external Local external applications
firewall Firewall filtering system
ftp FTP process
interactive-commands Commands executed by the UI
kernel Kernel
match Regular expression for lines to
be logged
ntp NTP process
pfe Packet Forwarding Engine
security Security related
>
structured-data Log system message
in structured format
user User processes
[edit]
root@srx100#
※
查看日誌檔訊息:
[edit]
root@srx100# run show log | no-more
total 1752
-rw-r--r-- 1 root
wheel 6069 Apr 29 07:23
__jsrpd_commit_check__
-rw-r----- 1 root
wheel 0 Mar 14 22:33 appidd
-rw-r--r-- 1 root
wheel 0 Mar 14 22:31
authd_libstats
-rw-r--r-- 1 root
wheel 0 Mar 14 22:31
authd_profilelib
-rw-r--r-- 1 root
wheel 0 Mar 14 22:31
authd_sdb.log
-rw-rw---- 1 root
wheel 19849 Apr 30 03:09
authorization
-rw-r--r-- 1 root
wheel 7 Mar 14 22:33
bin_messages
-rw-r----- 1 root
wheel 166037 Apr 29 08:27
chassisd
-rw-rw---- 1 root
wheel 7632 Apr 30 04:18
configuration
-rw-r--r-- 1 root
wheel 54720 Apr 29 08:23 cosd
-rw-r----- 1 root
wheel 78651 Apr 29 15:44 dcd
-rw-r--r-- 1 root
wheel 0 Mar 14 22:30 dfwc
-rw-r----- 1 root
wheel 1012 Apr 29 08:23 eccd
drwxrwxr-x 2 root
wheel 512 Mar 14 22:29 ext
drwxrwxrwt 3 root
wheel 512 Mar 14 22:29 flowc
-rw-r--r-- 1 root
wheel 298 Apr 28 23:11
fwauthd_chk_only
drwxrwxrwt 3 root
wheel 512 Mar 14 22:29 ggsn
-rw-r--r-- 1 root
wheel 6520 Apr 29 08:23 gres-tp
-rw-r--r-- 1 root
wheel 49202 Apr 30 02:44
httpd.log
-rw-r----- 1 root
wheel 0 Mar 14 22:33 idpd
-rw-r--r-- 1 root
wheel 90 Apr 28 23:11
ifstraced
-rw-rw---- 1 root
wheel 27216 Apr 30 04:28
interactive-commands
-rw-rw---- 1 root
wheel 6860 Apr 29 19:30
interactive-commands.0.gz
-rw-rw---- 1 root
wheel 7667 Apr 29 12:00
interactive-commands.1.gz
-rw-rw---- 1 root
wheel 7432 Apr 29 09:00
interactive-commands.2.gz
-rw-r----- 1 root
wheel 4798 Apr 29 08:23
inventory
-rw-r--r-- 1 root
wheel 30048 Apr 30 03:08 ipfd
-rw-r----- 1 root
wheel 41382 Apr 29 18:05 jsrpd
-rw-r--r-- 1 root
wheel 740 Apr 28 23:13 kmd
-rw-r----- 1 root
wheel 0 Mar 14 22:33 license
-rw-r--r-- 1 root
wheel 6790 Apr 29 08:24
license_subs_trace.log
-rw-r----- 1 root
wheel 55 Apr 29 08:18
mastership
-rw-rw---- 1 root
wheel 45993 Apr 30 03:09
messages
-rw-rw---- 1 root
wheel 9807 Apr 20 22:00
messages.0.gz
-rw-r--r-- 1 root
wheel 22072 Apr 7 02:54 nsd
-rw-r--r-- 1 root
wheel 38331 Apr 29 17:28
nsd_chk_only
-rw-r--r-- 1 root
wheel 23147 Apr 29 18:05
nstraced
-rw-r--r-- 1 root
wheel 370 Apr 29 07:23
nstraced_chk_only
-rw-r--r-- 1 root
wheel 384 Apr 28 23:11 pf
-rw-r--r-- 1 root
wheel 0 Mar 14 22:33 pfed
-rw-r--r-- 1 root
wheel 288 Apr 28 23:11 pgmd
-rw-r--r-- 1 root
wheel 456 Apr 29 15:44 rtlogd
-rw-r--r-- 1 root
wheel 4249 Apr 29 08:22
snapshot
-rw-rw---- 1 root
wheel 100326 Apr 30 04:28
traffic-log
-rw-rw---- 1 root
wheel 18598 Apr 30 03:15
traffic-log.0.gz
-rw-rw---- 1 root
wheel 12486 Apr 30 01:00
traffic-log.1.gz
-rw-rw---- 1 root
wheel 11452 Apr 30 00:00
traffic-log.2.gz
-rw-r--r-- 1 root
wheel 1782 Apr 29 08:24 utmd-av
-rw-rw-r-- 1 root
wheel 30004 Apr 29 08:32 wtmp
-rw-rw-r-- 1 root
wheel 139 Apr 7 00:24 wtmp.0.gz
[edit]
root@srx100# run show log ?
Possible
completions:
<[Enter]> Execute this command
<filename> Name of log file
__jsrpd_commit_check__ Size: 6069, Last changed: Apr 29 07:23:11
appidd Size: 0, Last changed: Mar 14
22:33:23
authd_libstats Size: 0, Last changed: Mar 14 22:31:05
authd_profilelib Size: 0, Last changed: Mar 14 22:31:05
authd_sdb.log Size: 0, Last changed: Mar 14 22:31:05
authorization Size: 19849, Last changed: Apr 30
03:09:22
bin_messages Size: 7, Last changed: Mar 14 22:33:06
chassisd Size: 166037, Last changed: Apr 29
08:27:41
configuration Size: 7632, Last changed: Apr 30
04:18:05
cosd Size: 54720, Last changed: Apr
29 08:23:33
dcd Size: 78651, Last changed:
Apr 29 15:44:24
dfwc
Size: 0, Last changed: Mar
14 22:30:44
eccd Size: 1012, Last changed: Apr
29 08:23:33
ext/ Last changed: Mar 14 22:29:36
flowc/ Last changed: Mar 14 22:29:37
fwauthd_chk_only Size: 298, Last changed: Apr 28 23:11:37
ggsn/ Last changed: Mar 14 22:29:36
gres-tp Size: 6520, Last changed: Apr 29
08:23:33
httpd.log Size: 49202, Last changed: Apr 30
02:44:03
idpd Size: 0, Last changed: Mar 14
22:33:48
ifstraced Size: 90, Last changed: Apr 28
23:11:32
interactive-commands Size: 27312, Last changed: Apr 30 04:28:56
interactive-commands.0.gz Size: 6860, Last changed: Apr 29 19:30:00
interactive-commands.1.gz Size: 7667, Last changed: Apr 29 12:00:01
interactive-commands.2.gz Size: 7432, Last changed: Apr 29 09:00:00
inventory Size: 4798, Last changed: Apr 29
08:23:33
ipfd Size: 30048, Last changed: Apr
30 03:08:58
jsrpd Size: 41382, Last changed: Apr
29 18:05:19
kmd Size: 740, Last changed: Apr
28 23:13:35
license Size: 0, Last changed: Mar 14
22:33:04
license_subs_trace.log Size: 6790, Last changed: Apr 29 08:24:04
mastership Size: 55, Last changed: Apr 29 08:18:42
messages Size: 45993, Last changed: Apr 30
03:09:22
messages.0.gz Size: 9807, Last changed: Apr 20
22:00:00
nsd Size: 22072, Last changed:
Apr 07 02:54:29
nsd_chk_only
Size: 38331, Last changed:
Apr 29 17:28:22
nstraced Size: 23147, Last changed: Apr 29
18:05:19
nstraced_chk_only Size: 370, Last changed: Apr 29 07:23:10
pf Size: 384, Last changed: Apr
28 23:11:10
pfed
Size: 0, Last changed:
Mar 14 22:33:22
pgmd Size: 288, Last changed: Apr
28 23:11:42
rtlogd Size: 456, Last changed: Apr 29
15:44:23
snapshot Size: 4249, Last changed: Apr 29
08:22:22
traffic-log Size: 100619, Last changed: Apr 30
04:28:56
traffic-log.0.gz Size: 18598, Last changed: Apr 30 03:15:00
traffic-log.1.gz Size: 12486, Last changed: Apr 30 01:00:00
traffic-log.2.gz Size: 11452, Last changed: Apr 30 00:00:01
user Show recent user logins
utmd-av Size: 1782, Last changed: Apr 29
08:24:04
wtmp Size: 30004, Last changed: Apr
29 08:32:41
wtmp.0.gz Size: 139, Last changed: Apr 07
00:24:06
| Pipe through a command
[edit]
root@srx100#
user@host> show log messages Apr 11
10:27:25 router1 mgd[3606]: UI_DBASE_LOGIN_EVENT: User 'barbara' entering
configuration mode
Apr
11 10:32:22 router1 mgd[3606]: UI_DBASE_LOGOUT_EVENT: User 'barbara' exiting
configuration mode
Apr
11 11:36:15 router1 mgd[3606]: UI_COMMIT: User 'root' performed commit: no
comment
Apr
11 11:46:37 router1 mib2d[2905]: SNMP_TRAP_LINK_DOWN: ifIndex 82, ifAdminStatus
up(1), ifOperStatus down(2), ifName at-1/0/0
user@host> file show /var/log/processes Feb 22 08:58:24 router1 snmpd[359]:
SNMPD_TRAP_WARM_START: trap_generate_warm: SNMP trap: warm start
Feb
22 20:35:07 router1 snmpd[359]: SNMPD_THROTTLE_QUEUE_DRAINED:
trap_throttle_timer_handler: cleared all throttled traps
Feb
23 07:34:56 router1 snmpd[359]: SNMPD_TRAP_WARM_START: trap_generate_warm: SNMP
trap: warm start
Feb
23 07:38:19 router1 snmpd[359]: SNMPD_TRAP_COLD_START: trap_generate_cold: SNMP
trap: cold start
user@host> file show /var/log/processes Feb 22 08:58:24 router1 snmpd[359]:
%DAEMON-3-SNMPD_TRAP_WARM_START:
trap_generate_warm: SNMP trap: warm start
Feb
22 20:35:07 router1 snmpd[359]:
%DAEMON-6-SNMPD_THROTTLE_QUEUE_DRAINED:
trap_throttle_timer_handler: cleared all throttled traps
Feb
23 07:34:56 router1 snmpd[359]:
%DAEMON-3-SNMPD_TRAP_WARM_START:
trap_generate_warm: SNMP trap: warm start
Feb
23 07:38:19 router1 snmpd[359]:
%DAEMON-2-SNMPD_TRAP_COLD_START:
trap_generate_cold: SNMP trap: cold start
user@host> show log messages
Apr
25 14:01:12 user Throughput exceed 20Gbps and 7Mpps in 35% of last 15 minutes,
above the time threshold 10%!
Apr
25 14:16:12 user Throughput exceed 20Gbps and 7Mpps in 95% of last 15 minutes,
above the time threshold 10%!
