Syslog Servers In Use-juniper-junos

best-practices
info
junos
juniper
Syslog Servers In Use-juniper-junos
0

#1

Syslog Servers In Use-juniper-junos

Vendor: juniper

OS: junos

Description:
Indeni will verify that certain syslog servers are configured on a monitored device.

Remediation Steps:
Modify the device’s configuration as required.
|||1. On the device command line interface execute “show system syslog” command to review system log configuration.
|2. Check if the syslog server is accessible.
|3. Check if the severity level is set properly to ensure that the traffic log messages are captured.
|4. Consider specifying two remote syslog servers to which system logs are sent.
|5. Review the following article on Juniper TechLibrary for more information: SRX Getting Started - Configure System Logging.

How does this work?
This script retrieves how the syslog servers are configured on the SRX device by running the command “show configuration system syslog” via SSH connection to a device.

Why is this important?
The SRX device can send log messages to the remote syslog servers.

Without Indeni how would you find this?
An administrator could log on to the device to run the command “show configuration system syslog” to collect the same information.

junos-show-configuration-system-syslog

#! META
name: junos-show-configuration-system-syslog
description: JUNOS SRX retrieve syslog server configuration information 
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: juniper
    os.name: junos
    product: firewall

#! COMMENTS
syslog-servers:
    why: |
        The SRX device can send log messages to the remote syslog servers. 
    how: |
        This script retrieves how the syslog servers are configured on the SRX device by running the command "show configuration system syslog" via SSH connection to a device. 
    without-indeni: |
        An administrator could log on to the device to run the command "show configuration system syslog" to collect the same information.
    can-with-snmp: false 
    can-with-syslog: false
    vendor-provided-management: |
        The commamnd line is available to retrieve this information

#! REMOTE::SSH
show configuration system syslog | display set | match host

#! PARSER::AWK
#set system syslog host 192.168.1.56 any critical
/^(set\s+system\s+syslog\s+host)/{
    host = $(NF - 2)
    facility = $(NF-1)
    severity = $NF 
    syslog_server[idx_1,"host"] = host 
    syslog_server[idx_1,"severity"] = severity 
    idx_1++
}

END{
    writeComplexMetricObjectArray("syslog-servers", null, syslog_server)
}

verification_syslog_servers_in_use

package com.indeni.server.rules.library

import com.indeni.ruleengine.Scope.{Scope, ScopeValueHelper}
import com.indeni.ruleengine.expressions.core._
import com.indeni.ruleengine.expressions.data._
import com.indeni.ruleengine.expressions.scope.ScopableExpression
import com.indeni.ruleengine.expressions.utility.IsEmptyExpression.IsEmptyExpressionHelper
import com.indeni.ruleengine.expressions.utility.SeqDiffWithoutOrderExpression
import com.indeni.ruleengine.expressions.{Expression, conditions}
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules.config.expressions.DynamicParameterExpression
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.rules.{RuleMetadata, _}
import com.indeni.server.sensor.models.automationpolicy.AutomationPolicyItemAlertSetting
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity


/**
  * Created by amir on 19/02/2017.
  */
case class SyslogServersInUseComplianceCheckRule() extends PerDeviceRule with RuleHelper {

  private val linesParameterName = "syslog_config_lines"
  private val linesParameter = new ParameterDefinition(
    linesParameterName,
    "",
    "Syslog servers config needed (multi-line, <ip-address>, <min-severity>)",
    "List the syslog servers need to be configured, and their minimal severity.\ne.g. 1.1.1.1, info.",
    UIType.MULTILINE_TEXT,
    "")


  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val linesExpected = DynamicParameterExpression.withConstantDefault(linesParameter.getName, Seq[Seq[String]]()).withLazy

    val snapshotKey = "syslog-servers"
    val missings =
      SeqDiffWithoutOrderExpression(
        MultiSnapshotExtractVectorExpression(SnapshotExpression(snapshotKey).asMulti().mostRecent().value(), "host", "severity"),
        linesExpected
      ).missings
        .withLazy

    val missingLineHeadline = new ScopableExpression[String] {
      override protected def evalWithScope(time: Long, scope: Scope): String = scope.getVisible("syslogConfig").get.asInstanceOf[Seq[String]].mkString(", ")
      override def args: Set[Expression[_]] = Set()
    }

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      // What constitutes an issue
      StatusTreeExpression(
        // The snapshot we check the test condition against:
        SelectSnapshotsExpression(context.snapshotsDao, Set(snapshotKey)).multi(),

        // The condition which, if true, we have an issue. Checked against the snapshots we've collected
        missings.nonEmpty,
        multiInformers = Set(
          MultiIssueInformer(
            missingLineHeadline,
            EMPTY_STRING,
            "Missing configuration"
          ).iterateOver(
            missings,
            "syslogConfig",
            conditions.True
          ))

        // Details of the alert itself
      ).withRootInfo(
        getHeadline(),
        ConstantExpression("Indeni has found that some syslog servers are missing or misconfigured. Check the list below."),
        ConditionalRemediationSteps("Modify the device's configuration as required.",
          ConditionalRemediationSteps.OS_NXOS ->
            """|1. Check if the IP address of the syslog server is accessible. Use theVRF management option if the Mangement VRF is configured to access the syslog servers. In this case use the "ping <dest-ip> vrf management" command to ping the server otherwise ping the server without the vrf option.
               |2. Check that the appropriate logging level is enabled to send logging messages. Use the "show logging info" NX-OS command. If the logging level is not appropriate, then set the appropriate level by using the "logging level <feature> <log-level>" NX-OS command.
               |3. It is a best practice to have at least one and no more than three, syslog servers configured.
               |4. For more information please review: <a target="_blank" href="https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/system_management/502_n1_1/b_Cisco_n5k_system_mgmt_cg_rel_502_n1_1/Cisco_n5k_system_mgmt_cg_rel_502_n1_1_chapter9.html">Cisco NX-OS configuration guide</a>.""".stripMargin,
          ConditionalRemediationSteps.VENDOR_JUNIPER ->
            """|1. On the device command line interface execute "show system syslog" command to review system log configuration.
               |2. Check if the syslog server is accessible.
               |3. Check if the severity level is set properly to ensure that the traffic log messages are captured.
               |4. Consider specifying two remote syslog servers to which system logs are sent.
               |5. Review the following article on Juniper TechLibrary for more information: <a target="_blank" href="https://kb.juniper.net/InfoCenter/index?page=content&id=KB16502&actp=METADATA">SRX Getting Started - Configure System Logging</a>.""".stripMargin
        )
      ).asCondition()
    ).withoutInfo()
  }

  /**
    * @return The rule's metadata.
    */
  override def metadata: RuleMetadata =
    RuleMetadata.builder(
      "verification_syslog_servers_in_use",
      "Compliance Check: Syslog Servers In Use",
      "Indeni will verify that certain syslog servers are configured on a monitored device.",
      AlertSeverity.INFO)
      .defaultAction(AutomationPolicyItemAlertSetting.NEVER)
      .configParameter(linesParameter)
      .build()
}