I am hoping there is a simple answer for this, but every three minutes or so I am seeing a log being generate that the user "root" logged in and executed "show configuration security | display xml" then logged off. I checked cron and there is nothing set for that time interval. We don't actively use the J-Web, but could it be coming from that. Here are some outputs from what I am seeing:
mgd: UI_LOGIN_EVENT: User 'root' login, class 'super-user' , ssh-connection '', client-mode 'cli'
mgd: UI_CMDLINE_READ_LINE: User 'root', command 'show configuration security | display xml '
mgd: UI_LOGOUT_EVENT: User 'root' logout
% w 10:09AM up 24 days, 9:16, 2 users, load averages: 1.12, 0.69, 0.48 USER TTY FROM LOGIN@ IDLE WHAT root u0 - 08Oct11 4days cli
There is no serial connection to the device (SRX650) and it is in a clustered setup. Is this a feature of the SRX cluster and how it seems to copy the config over?
Reiterating the concern, it seems to happen about every 3 minutes.