47. Configuration Groups
Let’s talk about an interesting topic called the configuration groups. So what is a configuration group? Well, a configuration group is a configuration snippet that can be applied to other parts of the configuration. So you would start by creating a configuration group containing configuration statements. And this can then be applied to rest of the configuration. Doing this allows you to define common portions of the configuration once and have them applied in many places. The advantage of doing this is that it minimizes the time to update the configuration because you do not have to apply the update at multiple places.
You can just apply the update in one common place. And it also reduces the chances of errors because you’re just configuring in one commonplace. This is ideal for grouping statements that are repeated in many places in the configuration. Configuration groups are very powerful. They make it very easy to configure the Junos device. Let’s get to the terminal and see how we can use this. All right, I’m here at the Junos terminal. I’ll first enter the configuration mode with the edit come in and I’m going to start by viewing a specific interface.
So I’ll say show interfaces G. 0 0 one. And as you can see here on this interface, I have five logical interfaces starting from Unit one all the way up to Unit five. Now, let’s say I wanted to apply a common configuration to all these interfaces or all these units. One way to do that would be set interfaces G 0 0 one. Unit one. And let’s do a question mark first. Out of these options, let’s say I wanted to apply the bandwidth configuration so I could do bandwidth. And then I can apply the bandwidth configuration. And I can repeat this five times for five units. This is one way of doing it. But there’s an easy way to do it, and that is using a configuration group. Let’s see how to configure one. So I’m here at the top of the configuration mode. I’ll start with edit and to configure a configuration group. We need to use the keyword called groups. So we’ll do edit groups. Question mark. And we need to start by providing in name. Now we’re gonna use this configuration group to configure the bandwidth of the interface. So we’ll give a name that represents that. Let’s maybe call this as Ben config.
OK, so that’s going to be the name of the configuration group. We’ll do a question mark here. Now we can specify what we are trying to configure in this case. We are trying to provide an interface configuration. So we’ll set interfaces. Question mark. And now we can provide the interface name to provide an interface name. We can use wildcard expressions. But one thing to keep in mind is that wildcard expressions should always be enclosed in angled brackets. So if I wanted to match all G interfaces, I could do something like this G. High from star or Asterisk. And that would match any G interface. But in this case, we are trying to match G 0 0 one and any unit. So I’m going to do G. 0 0 one. And I’m going to say unit.
Angle brackets, asterisk. This would mean that we are trying to match any logical unit under the GS, your 0 one interface. There’s some other styles of configuration as well. So, for example, we could do edit groups, banned config interfaces and we could do angled brackets. G.E. hyphen 0/0/star. So that would match any GS 0 0 interface. She is 0.0.0G. 0 0 one two and so on. If we wanted to provide a range, we could use a square bracket for that. So we could do annual brackets. Hyphen G is 0 0 and then we could do maybe one, two, three. So this would match gee e0 0 one two 0 0 two and G is 0 0 three. The important thing to keep in mind is that whenever you want to use a wildcard expression, that must be enclosed in the angle brackets. Right now, I’m going to hardcourt that to G 0 0 one. And we’ll say unit angle brackets. Asterisk. So this will match any unit under G. 0 0 one. And let’s do a question mark. So at this stage, we can execute the command. I’m going to press enter. Now we are under a specific configuration mode. Now we’ll do set space question mark. And the configuration that we are trying to apply is bandwidth. Let’s do that. Set bandwidth. And here we can provide the bandwidth information. I’m going to configure this as one hundred. Let’s do a show.
In fact, let’s go one level up and let’s do a show or let’s do this. Let’s go to the top and let’s do show groups. Band config. And that’s our configuration group. Now we need to apply this on the interface. So we’ll do this set interfaces. She is 0 0 one and we’re going to apply the configuration group here by applying it here. We will be able to influence the configuration of all the logical units. So let’s do a question mark. And you’ll notice we have the option to apply a group. Let’s do that. Apply. Groups. And will the band can fake. Now, the reason we don’t see the name of the configuration group when we do a question mark is because we haven’t committed the configuration. If we did a comment that well, we would show up as a possible completion. Right now, that’s OK. We’re going to press enter. So that’s configured. Now, if we did show interfaces, she is 0 0 one. Let’s see what happens. Now we can see that nothing has really changed. And that’s because by default, Junos will not show you the configuration that has been inherited. To see the configuration that has been inherited.
We have to use a pipe and then say display inheritance. And when we do that, we can see the configuration that has been inherited in this case. One hundred was inherited from the group called Ben Config, and that is the configuration. And we can see that it has been applied to all the interfaces. Let’s say you wanted to view the configuration without these hashes or without these commands. We can do display inheritance, no commands. And then the configuration will appear like a normal config. It won’t show you any of those commands. Now, let’s say we wanted to apply the configuration group to four units, but we don’t want to applied on the fifth unit. So in that case, we can use the keyword apply groups, except this keyword should be applied to the configuration where you do not want the inheritance to take place. In this case, Unit five. So we’ll do this. Set interfaces. G. 0 0 one. And will enter the specific unit. Unit five. And here will say apply. Groups. Except.
Apply groups accept and will say ban config. And now if we do show interfaces cheesier, is it a one? Display inheritance. No commands. We should see that Unit one to Unit four has the bandwidth configuration. But this unit doesn’t have that configuration. And that’s because we have this statement applied over here. So as you can see, configuration groups are so flexible. Imagine the advantage of this service provider environments where you have hundreds of customers. You may have so many interfaces, you may have so many lines of configuration. Configuration groups will make it really easy to manage such large pieces of configuration. Configuration groups can be applied at any level of the configuration. So if I did show over here, we can not only apply to interfaces, which is what we did right now, but we can apply to any configuration. We can apply to policies. We could also apply to system services, web management, for example. And let’s give this a try. Let’s see how to configure a configuration group that applies to system services, web management. So also edit groups and let’s give it a name. I’m going to call this as Web M GMT. Question mark. And we are trying to apply this under system services, so system services.
And we want to apply the configuration over here under Web management. Web management, all press enter. And now also set to space. Question mark HTP. Yes. And we’ll say interface. And I’m going to say, gee, 0 0 0, for example. So if I do show. This configuration will allow each GTP, yes, access from the specific interface before we apply this, let’s see the existing configuration show systems, services, web management. So right now, we can see that nothing is configured. It is only configured to use a system generated certificate. But none of the interfaces are configured. So we’ll do set system and we can apply the configuration here if we wanted to. So when I do a question mark, you will notice that we can apply here. Let’s give that a try. Set system. Apply. Groups. And the name of the group, we haven’t committed the configuration, so we can’t see the value, but I’m just gonna type it in Web M GMT. Press enter. And now let’s do show system services. Display inheritance.
No commands. Excuse me, display inheritance. No commands. And now we can see that that configuration has been applied. In this case, we have applied the configuration group at the set system level. We could also apply the same configuration at the services level. So if I can show you this way. I’ll do a show and press enter so you can see over here that we have applied the configuration group at the edit system level. We could also applied here and we’ll get the same result. Let’s give that a try. So all say delete system. Apply groups, press, enter. So if I do a show now, we can see that we’ve removed that configuration. And now let’s do set system services, apply. Groups and let’s do Web M GMT. And if we do show system, display inheritance, no commands, we should get that same output. So you can applied at multiple levels. Just make sure you’re applying it above the configuration that you want to influence. Let’s see one more example. So let’s do show security policies. Press enter and we can see that we have a few policies defined over here from the trust zone to the untrust zone. This configuration is not important for us to know from the GFCI level.
But all we are trying to understand right now is how we can use a configuration group to influence this configuration. The syntax of this configuration is not important. So right now we have three policies. You can see that over here from the trust zone to the untrust zone. And we can see that none of these policies have logging enabled. They are only permitting traffic, but they do not have logging enabled. Now, we could go to every policy in here and enable logging or we can create a configuration group and apply to all the policies. Let’s see how to do that. So from the top, I’ll say edit groups will need to give it a name. I’m going to call this one as log policy. Question mark and the configuration that we’re trying to apply is under a security policies, and we can see that here. It’s under our security policies. Question mark. At this point, we could specify air from zone or if we did not want to match a specific from zone, we could simply do this. Excuse me. We would do from Zone. This way and that way we would match any from zone and we could also do to zone angle, bracket asterisk. And in this way we would be matching any from zone and any two zone.
But right now, I’m going to hardcourt that to match the from zone as trust to zone as untrust. And then the key word is policy. Now here I’m going to say angle brackets, asterisk. So this means we’re going to apply this configuration for any policy. From the trust zone to the untrust zone. I’ll press enter over here and now we’ll configure the value set then. Log. And we’re going to do log ad session in it, which is session initialization. Press enter. Let’s go to the top and let’s do show groups law policy. And this is the configuration that we’ve created. Now let’s apply to the policy. So we’ll do set security policies. Question mark. And we’re going to apply to over here. Apply. Groups. And the group name is Log Policy. And now when we do show security policies display inheritance, we should see that all these policies have inherited the logging feature from the configuration group. So as you can see, configuration groups make it easy to configure the device. And it’s also faster to configure this way. How about applying multiple configuration groups at the same time? Can we do that? Let’s give that a try. So let’s create another configuration group that is configured to log at session close. And let’s try to apply this at the same level, which is set security policies. So we’ll have to configuration groups and let’s see what’s the resulting output.
So let’s do a show groups log policy. This is what we configured just to make it faster. I’m going to copy this. Copy groups, law policy, too. And I’m going to name this as law policy to. So if we do show groups now, we can see that we have law policy and we have law policy, too. Now we’ll edit this will set edit log policy. Added groups law policy to security policies from zone trust to zone untrust policy. And let’s do set, then log session close. So now if we go to the top and if we do show groups, we can see that we’ve got to law policies. The first law policy is configured to log ad session in it. And this one is configured to log at session in it and close. So we need to remove that. We only want to log at such close. So also delete groups law policy to. Security policies from Zone Trust to Zone Untrust policy. Scuse me. And then log session in at. So now if we do show groups, we should see that this one is configured to log accession in it. And this one is configured to log at session close. So let’s do show security policies. We can see that we’ve already applied a configuration group. Let’s try to do it one more time. Said security policies apply. Groups. And this time we’re going to apply law policy to hit the pair of a couple of times. Show security policies. So you can see that we applied to configuration groups. Now, let’s see what’s the resulting configuration?
So show security policies. Display inheritance. No commands. And you’ll notice that the configuration from both the configuration groups has been inherited. And this is possible because the configuration from both the configuration groups is actually acceptable for this policy. But what if we had a configuration where only one of the two configurations can be accepted? I’ll show you what I mean. Let’s do show groups. Band config. So in this case, we have the bandwidth defined as one hundred. But what if we had another group that had bandwidth set to 1000 and we apply both the groups on the interfaces? What would be the resulting configuration? Let’s give that a try. So we’ll do copy groups. Will create a copy of this copy group’s ban config to. Ben confect to. We’ll then edit that edit groups banned config to. And we’ll say set interfaces. G is yours or one any unit. Bandwidth 1000. So if I go to the top here and if I do show groups now, we can see that we’ve got two configurations banned config. Which sets the bandwidth as one hundred and at the bottom here we have Ben confect two, which sets the bandwidth as 1000.
If we do show interfaces, G is 0 0 one. We can see that we have a configuration group applied over here. Let’s try to apply the second one. Set interfaces. She is 0 0 one. Apply groups. Bad config, too. Now, when I do show interfaces, she is 0 0 one. What do you think will be the resulting configuration? Let’s take a look at it so we can see here. That the resulting configuration is unchanged. All the interfaces have the same bandwidth configuration except the last one. This means when you apply multiple configuration groups, the first configuration group will always take priority. So if I do show interfaces, we can see that two configuration groups have been applied. The first one had a bandwidth configured of 100. And the second one had the bandwidth configured for 1000. And clearly, the first one has been applied. So when you configure multiple configuration groups. The earlier ones will take priority. How about this one here? Why does it have the bandwidth configured as 1000? Well, the reason is we have to configuration groups applied. The first one has been configured as an exception. So we’ve said that we don’t want to use that.
So as a result of that, the configuration from the second configuration group. Has been picked up over here. An important thing to keep in mind is that configuration groups follow true inheritance model. That means if you change anything in the original configuration group, that will be automatically picked up over here. But you can also override that. That means even though this configuration is coming from the configuration group. But if you override it here, that is the value that it will use. So if there is no value configured, it takes the value from the configuration group. But you can override that with a specific configuration. One last thing to keep in mind is that Junos has a predefined configuration group that is used to configured the device is actually a hidden configuration, but you can see that with the command show groups, Junos defaults. This is the default Junos configuration group. And as you can see, it has a bunch of configuration in there which is used to configure the Junos device. This is a very important command to remember from the examination perspective. I hope you realize the power of a configuration group. It really makes configuring the device easy and faster. I encourage you to try this on your Junos device.
48. Introduction to System Logging
Let’s talk about an important topic called system logging, also known as CIS Log, this log is used to record system wide, high level operations, such as interfaces going up or down or users logging into or out of the device or commit operations being completed, etc. So you can use this logged record of any activities that are happening on your Junos device. Logs are placed in files that are stored in the/of V are/log directory. Junos includes a primary source log file, which is found in all factory default configurations, and this file is the messages file, which can be found at/r/log/messages. Each system log message belongs to what is known as a facility, a facility is a group of messages that are either generated by the same software process or a concern. A similar activity, for example, all authentication messages will belong to one facility. All security related events will belong to another facility. So our facility is just a group of messages that concern a similar activity. Every message will also have a civility level that indicates how seriously the triggering event affects the device functions. Let’s look at some of the facilities found on the Junos device, on this table, on the left hand side.
I have the name of the facility and on the right hand side, I have the type of event or error message generated by the facility. The first one is any. This facility is responsible for logging all messages from all facilities. The authorization facility will log authentication and authorization attempts. The change log facility is responsible for logging changes to the Junos configuration. The daemon facility is responsible for logging actions performed or errors encountered by system processes. Then we have the firewall filter, which is responsible for logging packet filtering actions performed by a firewall filter. The interactive commands facility will log commands issued at the Junos command line interface. The colonel facility is responsible for logging actions performed or errors encountered by the Junos. Colonel. The security facility will log security related events or errors and the user facility will log actions performed or errors encountered by user processes. This table contains only the important and most commonly used facilities. There are other facilities as well which are not listed on this table and can be found on the Junos documentation. Now, let’s talk about civility levels. On the left hand side, we have the numeric value of the civility level.
The central column has the label of the severity level and on the right hand side, we have the description. The first severity level is none. When you set this level, it will disable all logging of the associated facility. Then we have the emergency severity level, which corresponds to a system, panic or other conditions that could cause the device to stop functioning. The alert severity level indicates conditions that require immediate correction, the critical severity level includes critical conditions, the error, severity level talks about error conditions that have less serious consequences.
Then we have the warning severity level, which includes conditions that warrant monitoring. The notice severity level includes conditions that are not errors but might warrant special handling. Then we have the info severity level, which is for events or non error conditions of interest. And finally, we have the any severity level which will include all severity levels for that facility. So the important thing to keep in mind is that system wide events happening on the Junos device can be recorded or can be logged using the SIST log feature by default, logs are stored under/V.A./log directory and every log message will have a facility and a civility level. If facility is just a group of messages concerning a similar activity and the severity level indicates how seriously the triggering event could affect the Junos device. In the next video, we’ll get to the terminal and understand how to configure sest lock.
49. Configuring Syslog
Welcome back. Now that we’ve understood why we need system logging or sist log, let’s understand how to configure this on the terminal. I’m right now in the configuration mode. I’ll first enter the edit system, sist log configuration hierarchy and let’s start with set space question mark. Here you will see that we can log messages to a file so we can send log messages to a file that we specify or we can send messages to the console, or we can send log messages to assist logs server, or we can also notify a user about an event. Let’s start with a log file configuration. So also set file space. Question mark. We need to provide the file name. I’m going to call this file as CLI commands. Question mark. And now we can see all the facilities that we can use for logging in this case. I’m going to use interactive commands which will allow us to log all commands executed by the UI. So interactive commands question mark. And now we can provide the civility level. In this case, I’m going to say any. So we are going to log interactive commands at any severely level.
Let’s repeat this one more time. I’m going to say set file and I’m going to call this as changelog. And this time we’re going to log on this facility, which is called. This one here, which is called changelog, and I’m going to log at any civility level. Let’s do a show here. So this is the configuration. We’ve got two files, one logging and interactive commands and the other one logging at changelog. Let’s do a commit here. All right, so the configuration has been committed. Now, any changes that we make or any commands that we type will be captured in this file and any changes that we make to the configuration will be captured by this file. Let’s configure one more file for security. So I’m going to say set file. And this is a new file name called Security. We will log using the security facility here. And I’m going to log add any civility level. Let’s do a show here. So we’ve got our three files configured over here. Let’s add some descriptions to these files. The command to do that is annotate. So we’re trying to annotate a file and Allfirst annotate the CLI commands file. The annotation needs to be provided within double quotes. All right. So I’m going to say logs, commands entered by users. Let’s do a show. And we can see that description here. Let’s also do the same for these two files here. And a TED file file name double quotes. All right. And let’s do it one more time, annotate file security. All right, so now we have descriptions set up for all the thwe files. By the way, if we want to delete the annotation, you would not use the delete command. Instead, you would remove everything that’s within the double quotes. So if we wanted to remove that annotation, we would simply remove everything within the double quotes and press enter. And if we do a show now, we can see that this file here does not have an annotation anymore.
I’m going to hit the up here a couple of times and set that again. So if we do a show now, we can see those descriptions. Let’s also set up this log to notify a user. So set space question mark. And we’ll use this keyword here. Question mark. Now we can provide the user name for a specific user or we can provide an asterisk, which means we’re trying to notify all users. I’m going to notify from all facilities, but I’m not going to notify at all severity levels. Because if you set it to any and you commit, your terminal is going to be flooded with six log messages. So you want to make sure you only configure this for specific CVT levels. I’m going to configure this for emergency. So any says log messages, having a severity level of emergency or higher will be notified to the user. I’ll press enter and let’s do a show. All right, so we can see all the changes that we made here. Now, let’s do a comet. All right, now let’s go back to the operational mode and let’s take a look at the log files.
The command is show log space. Question mark. So we can see the files that we configured. You’ve got change log here. You’ve got Selye commands. Let’s take a look at it. Show logs. Houli like commands. Press enter. And here we can see all the commands that we entered at the terminal. So you will notice there is a date and time stamp. You have the system, name the process, name the process I.D. and then you have a message code and a message text that describes this as log. If you want to know more information about that specific says log entry, we can copy that message code and we can use the help, says Log Command. So helps us log and simply typing that code and you will get more information about that. Just log message. So you’ve got the name message, a description type severely and facility. Let’s also see the other log file show, log change log. And I’ll press enter here so we can see all the configuration changes that have been made.
We can also use the filtering commands that we looked at earlier. So, for example, if I only wanted to see a specific message code, I can do show log, file name and I can say match. And the message code. And now we are only looking at specific messages, having that code. So let’s look at the structure of SIST log messages. Every SIST log entry contains the timestamp, which indicates when the message was locked. It then has the name, which is the configured system name. Then you have the process name or the process I.D. of the process that generated the log entry. Then you have a message code which identifies the nature and purpose of the message. And then you have a message text which provides additional information related to the message code. We’ve already seen this as log examples. I’ve got some more here. So, for example, you’ll notice every SIST log message starts with a date and a timestamp. And then the system. Name the process. Name the process. I.D. the message code and the message text. Now, one thing to notice here is that the messages do not contain the name of the facility that generated the message. And it also does not contain the severity level if you need that information. You can configure to include explicit priority.
So to add a numeric priority value consisting of the facility and the severity level to your source log messages, add the explicit priority statement. So before you can figure this, it’s gonna look like this. And after you configure explicit priority, it’s going to look like this will see that facility name here and the severity level. All right, back over here. Let’s understand how to configure explicit priority. But before we do that, let’s clear a log file. So the command is clear. Log in the file name, which is CLI commands. Keep in mind that the clear command will only clear the contents of that file. It will not actually delete that file. Now that we’ve done this, let’s go back to the configuration mode and let’s go to edit systems syste log. And let’s do said file file name, which is going to be CLI commands, and let’s configure it to include explicit priority. All right, let’s do a comet. And now let’s take a look at the contents of that file to take a look at the contents. We do not need to go back to the operational mode. We can do it from the configuration mode itself. When you want to run operation mode commands from the configuration mode.
You can prefix them with the keyword run. So let’s do run, show, log see commands. And we’ll go down to the bottom of the log. And here you can see after the commit operation has been completed. The log messages have the facility name and the severity level. Let’s talk about one more feature that we can enable. It’s called structured data. So let’s do set files, CLI commands. And if I do a question mark here. Notice we have the option to configure structured data. This will cause your SIS log messages to be formatted according to the Internet draft. So this log protocol. So let’s do that. Set files. You like commands, structured data. And let’s do a commit. And let’s look at the file contents again, run show logs, you like commands. But this time I’m going to pipe it to only show the last portion of that output. And now we can see that the log messages have a specific structure in them. So if you wanted to include your log messages in a specific structure, you would use the structured data keyword. You can see that here, the last command that I used was run show log zeolite commands. And that is actually shown with a nice structured format. Notice that at the end of that structured format, you also have a little message if you don’t want that message to be included. We can do this, so we’ll do set file, CLI, command structure, data, question mark. And we can use this keyword called brief, which will cause the English language text at the end of the message to be admitted. Let’s give that a try. I’ll hit the up here a couple of times. Press enter. And now we can see that we only have this portion. The message at the end, which we saw here.
Like, for example, here. The message at the end has been removed. Yule log messages will terminate at the end of the structured data output. Now, let’s talk about this log archival, we can configure SIST log messages to be archived. So let’s say we have a file called Log File. When this file is archived, the file will be closed. It will then be compressed and its name will be changed to log file . 0 . GZ. The logs will then be written to a new file called Log File. When this file again needs to be archived, log filed or 0ed out, GZ will be renamed as log filed at one .. GZ log file will be renamed as log filed or 0 GC. And the service will then write the logs to a new file called Log File. And this will keep repeating until the maximum number of sites log files has been reached. This can be configured for all files or it can also be configured for individual files. Let’s understand from the terminal how to configure archival. All right, back over here. Let’s do set space question mark and you will notice that we can configure archival under the edit system. SIST Log I Archey when you can figure it here, you are configuring it for all the files. So let’s do set archive space question mark.
Now there’s a few things that we can configure here. Number one, we can configure the size of the files that need to be archived. We can also configure the number of files that need to be archived and we can also set the archive as word readable or no world readable. The difference really is who gets to read the log files. So if you set it to world readable, it allows any user to read the log file. But if you set it to no world readable, it only allows root users and users who have the maintenance permission to read log files. When we talked about logging classes in one of the earlier videos, we spoke about permissions that can be granted to users. When you want to run a top level command from within a configuration hierarchy. You can prefix it with top so we can do top set system log in class and let’s just give it a name for now. Let’s just call it demo and let’s do a question mark. The keyword is permissions. And when I do a question mark here, we can see all the permissions that can be associated with a logging class. And one of the permissions is maintenance.
So when you configure a archive file as no world readable, only root users or users who have the maintenance permission are allowed to read the log files. The other setting that we can configure here is binary data, or you can set it to no binary data. When you use this keyword, you are marking the file as if it contains binary data. The reason you would do this is when you are receiving server is configured to process files that contain binary data. So if you have special processing enabled for files that contain binary data, you would want to mark your files as binary data files. So this configuration here applies to all this as log files, if you want to apply to only individual files. We can do set file, file name. And when we do a question mark here, we have the option to configure archival settings. We have a few more options here. So we have the size command. We have files which allows us to specify the number of archived files. We can set a start time for file transmission and we can also set the archival site. So, for example, if we wanted to move the archive files to another FTB server, we can do archive sites.
Question mark. And now we can type in the FTB. You are all of our archive site. Keep in mind that if you can figure more than one site, the device will attempt to transfer the file to the first you arel in the list and it will only move to the next to you Aurel if it fails to transfer the files to the first. You are El. So we can configure archival over here. So important thing to keep in mind is that archival can be configured at the edit system, just log hierarchy, which would apply to all the files. Or it can also be configured on a per file basis.
One last thing that we’re going to look at before we end this video is how to delete a log file so we know how to look at a log file show log in here. We can take a look at the log files. But what if we wanted to delete a log file? We can use the command file. Delete. And if you do a question mark here, you will need to provide the full log file path that is/v, e, r/log. And then we can provide the log file name, for example, like commands. And that is delete it. If you want to clear the contents, you can do clear log and you can straightaway specify the file name. For example, clear log change log and that would clear the contents.
