11-01-2011 07:12 AM
I am hoping there is a simple answer for this, but every three minutes or so I am seeing a log being generate that the user "root" logged in and executed "show configuration security | display xml" then logged off. I checked cron and there is nothing set for that time interval. We don't actively use the J-Web, but could it be coming from that. Here are some outputs from what I am seeing:
mgd: UI_LOGIN_EVENT: User 'root' login, class 'super-user' , ssh-connection '', client-mode 'cli'
mgd: UI_CMDLINE_READ_LINE: User 'root', command 'show configuration security | display xml '
mgd: UI_LOGOUT_EVENT: User 'root' logout
10:09AM up 24 days, 9:16, 2 users, load averages: 1.12, 0.69, 0.48
USER TTY FROM LOGIN@ IDLE WHAT
root u0 - 08Oct11 4days cli
There is no serial connection to the device (SRX650) and it is in a clustered setup. Is this a feature of the SRX cluster and how it seems to copy the config over?
Reiterating the concern, it seems to happen about every 3 minutes.
Thanks for your help
12-22-2011 12:35 PM
I can't remember exactly the cause, it's been about 6 months since having that conversation with juniper, but J-Web and some other services show log messages as root.
Took us by suprise as well. Is this a cluster? Use nsm or junos space?
You could disable root logins via ssh see if any change