Junos Automation (Scripting)
Highlighted
Junos Automation (Scripting)

Help required in writing a script to log the changes (set/delete) done after commit

‎12-29-2016 06:31 AM

Hello All,

 

We have a requirement to log the configuration changes once commit is done and send it to a syslog server.Also, we would want log the username who has made those changes.I have heard this can be achieved with the help of scripting. I do not know scripting. If someone can help me achieve this it would be great.

 

Thanks,

Kunal Tupe

17 REPLIES 17
Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎12-29-2016 09:46 AM

Hi

 

I don't think you need scripting for such a task, a simple event policy will work. Something like this:

 

lab@vSRX-1# show event-options 
policy EVENT_UI_COMMIT_PROGRESS {
    events UI_COMMIT_PROGRESS;
    attributes-match {
        "{$$.message}" matches "commit complete";
    }
    then {
        execute-commands {
            commands {
                "show configuration | compare rollback 1";
            }
            output-filename config-diff;
            destination vartmp;
            output-format text;
        }
    }
}
destinations {
    vartmp {
        archive-sites {
            /var/tmp;
        }
    }
}

This is how it works:

 

[edit]
lab@vSRX-1# set interfaces ge-0/0/3.0 family inet address 3.3.3.3/24 

[edit]
lab@vSRX-1# commit 
commit complete

[edit]
lab@vSRX-1# run file list /var/tmp/ 

/var/tmp/:
...
vSRX-1_config-diff_20161229_201431
...

[edit]
lab@vSRX-1# run file show /var/tmp/vSRX-1_config-diff_20161229_201431 
 
 
root@vSRX-1> show configuration | compare rollback 1
 
[edit interfaces]
+   ge-0/0/3 {
+       unit 0 {
+           family inet {
+               address 3.3.3.3/24;
+           }
+       }
+   }

 

 

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

[ Edited ]
‎12-29-2016 10:12 AM

Wondering if there is a way to get this outupt to email from the archive sites.

 

Thanks

 

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎12-29-2016 11:16 AM

Hi

 

The destination can be scp or ftp URL, or local dir as in my example.

 

I don't think you can email directly from Junos box. Unless built-in Python in newest Junos versions can be employed to do that, but it requires testing to check if this is possible.

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

[ Edited ]
‎12-29-2016 01:02 PM

With a suitable version of Junos you can send email via a SLAX script using the libcurl extension.

 

https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/general/junos-script-automati...

 

I've used this approach before, the following is a very simple example.

 

 

root@router> show configuration event-options
policy commit-change {
    events UI_COMMIT;
    then {
        event-script change-smtp.slax;
    }
}
event-script {
    file change-smtp.slax;
}

---------------------
change-smtp.slax
---------------------

version 1.1; ns junos = "http://xml.juniper.net/junos/*/junos"; ns xnm = "http://xml.juniper.net/xnm/1.1/xnm"; ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0"; ns curl extension = "http://xml.libslax.org/curl"; import "../import/junos.xsl"; match / { <event-script-results> { <output> {
/* sleep - to ensure that get-commit-information gets the data */
expr jcs:sleep("5"); var $rpc = <get-commit-information>; var $conn = jcs:open(); var $results = jcs:execute($conn,$rpc); /* get configuration in stanza format */ var $rollback-rpc = <get-rollback-information> { <rollback> "0"; <format> "text"; } var $rollback = jcs:execute($conn,$rollback-rpc); var $config = $rollback/configuration-information/configuration-output; /* get compare statement */ var $rollback-compare-rpc = <get-rollback-information> { <rollback> "0"; <compare> "1"; } var $rollback-compare = jcs:execute($conn,$rollback-compare-rpc); var $rollback-results = $rollback-compare/configuration-information/configuration-output; expr jcs:close($conn); var $email = { <method> "email"; <server> "192.168.56.11"; <from> "change-management@example.net"; <to> "change-management@example.net"; <subject> "Config change recorded on \"" _ $junos-context/hostname _ "\""; <contents> " TIMESTAMP " _ $junos-context/localtime-iso _ " CHANGE BY " _ $results/commit-history[sequence-number = '0']/user _ " --------- CONFIGURATION CHANGES --------------------- " _ $rollback-results _ " CURRENT CONFIGURATION --------------------- " _ $config _ " "; } var $smtp-results = curl:single($email); } } }

 

This would then produce output similar to the following:

$ cat 130916105728500.eml
        Tue, 13 Sep 2016 10:57:28 +0000 (UTC)
From: change-management@example.net
To: change-management@example.net
Subject: Config change recorded on "router"
Date: 2016-09-13 10:57:28 UTC
Message-ID: ext-curl-2288724012-1804289383


TIMESTAMP 2016-09-13 10:57:23 UTC
CHANGE BY root
---------

CONFIGURATION CHANGES
---------------------

[edit system]
-   scripts {
-       op {
-           file smtp-email.slax;
-           file system-commit-smtp.slax;
-       }
-   }


CURRENT CONFIGURATION
---------------------

## Last changed: 2016-09-13 10:57:17 UTC
version 14.1R2.12;
system {
    host-name router;
    root-authentication {
        encrypted-password "$1$yadanyadayada"; ## SECRET-DATA
    }
....

 

 

Regards,

Andy

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎01-31-2017 09:23 AM

Hello Guys,

 

Thanks so much for your input. I would like to test one of the option. If i need any help or have questions i will get back yo you. Apologies for the late reply. Thanks again

 

Thanks,

Kunal Tupe

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎02-01-2017 08:36 AM

 Hello Andy,

 

Is it possible to share me a config file to achieve this. I would then configure it on one of the SRX or EX device and check the output. I really am new to this and do not have much idea on how this works.

 

Regards,

Kunal Tupe

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎02-01-2017 08:55 AM

Which version of Junos are you running on your SRX and EX?

 

Regards,

Andy

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎02-02-2017 01:57 AM

Hi Andy,

 

Below are the Models and their junos version.

 

SRX - 650, 240  

Junos version 12.1X46-D55.3

 

EX - 4500,4200,3300,3200,4550

junos version - 12.3R12.4 

 

 

Thanks,

Kunal Tupe

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎02-02-2017 02:29 AM

Hi Kunal,

 

The SLAX script approach leveraging the libcurl extension to send email won't be an option for you, as the minimum software requirements aren't met for SRX.

 

If I recall correctly, the curl extension for SLAX was introduced in SLAX version 1.1, which requires Junos 12.2 or higher.

 

I know that 12.1 only supports SLAX version 1.0 which rules out the SRX unless it is running a 12.3 or 15.1 (which is only available on either the newer models or older branch models that have sufficient RAM 2GB+ if I recall correctly).

 

For the EX, since you are running 12.3, I would have thought that the script/config from my earlier post would be sufficient although I've not tested on an EX before, mainly on MX and vMX.

 

If you require the step by step approach I'd use for the EX let me know and I'll break down the steps into those that I think would work (but of course I've not tested on EX yet so it might take a bit of trial and error).

 

Regards,

Andy

 

 

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎02-02-2017 03:54 AM

Hi Andy,

 

Thank you for the information. However, a latest junos version is out (Junos 12.3X48-D40) If i install this OS will it then be possible ? Also, for the EX series if you could give me step to step configuration that'd be great . Is it possible for you to test EX first and see if we could get the outout as expected. Thanks in advance.

 

 

Thanks,

Kunal Tupe

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎02-02-2017 04:31 AM

Hi Kunal,

 

If my assumptions on support of the curl extension in 12.3 are correct, then I would expect this to work on SRX too.  Of course, I've only tested on MX and vMX running 14.x so I can't be 100% sure if there are any subsequent caveats.

 

Unfortunately I don't have access to any spare EX's, everything I'm working on is tied up for other projects so I'm not able to work on those.

 

The approach that I would use (same for EX/SRX/MX would be as follows).

 

Create the SLAX script with your preferred editor, containing the following code, and save it with a filename "change-smtp.slax"

 

You will need to modify three values in the code below to match your requirements, they are highlighted in bold, and represent the ip address of your SMTP server, and the to and from email addresses.

 

 

version 1.1;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
ns curl extension = "http://xml.libslax.org/curl";

import "../import/junos.xsl";

match / {
  <event-script-results> {
    <output> {
        /* sleep - to ensure that get-commit-information gets the data */
        expr jcs:sleep("5");
        var $rpc = <get-commit-information>;
        var $conn = jcs:open();
        var $results = jcs:execute($conn,$rpc);
        /* get configuration in stanza format */
        var $rollback-rpc = <get-rollback-information> {
            <rollback> "0";
            <format> "text";
        }
        var $rollback = jcs:execute($conn,$rollback-rpc);
        var $config = $rollback/configuration-information/configuration-output;
        /* get compare statement */
        var $rollback-compare-rpc = <get-rollback-information> {
            <rollback> "0";
            <compare> "1";
        }
        var $rollback-compare = jcs:execute($conn,$rollback-compare-rpc);
        var $rollback-results = $rollback-compare/configuration-information/configuration-output;

        expr jcs:close($conn);

        var $email = {
          <method> "email";
          <server> "192.168.56.11";
          <from> "change-management@example.net";
          <to> "change-management@example.net";
          <subject> "Config change recorded on \"" _ $junos-context/hostname _ "\"";
          <contents> "
TIMESTAMP " _ $junos-context/localtime-iso  _ "
CHANGE BY " _ $results/commit-history[sequence-number = '0']/user _ "
---------

CONFIGURATION CHANGES
---------------------
          " _ $rollback-results _ "

CURRENT CONFIGURATION
---------------------
" _ $config _ "
          ";
        }
        var $smtp-results = curl:single($email);

    }
  }
}

Once the script has been created, you will need to transfer this to your devices, this could be performed using Junos Space (if you are using it), or manually via scp/ftp etc.    The script should reside in the /var/db/scripts/event directory on the device(s).

 

If SRX are clustered, then the script wil need to reside on both sides of the cluster.

 

For more information about installation of SLAX scripts on Junos refer to the following links.

http://www.juniper.net/techpubs/en_US/junos/topics/concept/junos-script-automation-event-script-over...

http://www.juniper.net/techpubs/en_US/junos/topics/usage-guidelines/automation-enabling-an-event-scr...

 

Once the script is present in the /var/db/scripts/event location, you can then configure the event-policy that will trigger the event script.

 

user@router> configure
user#
user# set event-options policy commit-change events UI_COMMIT
user# set event-options policy commit-change then event-script change-smtp.slax
user# set event-options event-script file change-smtp.slax
user# commit and-quit
user@router>

Now that the event-policy is enabled, any subsequent configuration changes on the device will trigger the UI_COMMIT event, and the event-policy "commit-change" will detect that UI_COMMIT event and trigger the change-smtp event script.

 

The event script will then execute and collect data about the current configuration, comparison from the previous rollback and send an email with the data collected to the smtp server and email address defined inside the script.

 

Regards,

Andy

 

 

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎02-06-2017 01:31 AM

Hello Andy,

 

Thanks a ton for your help and the configuration. I would test this on one of the EX switch and let you know. 

However, i hope once the SRX is upgraded on 12.3 this will work on it too. If i have any questions or require your assistance i will post it here. Thanks again Andy, really appreciate your help. Cheers!!! 🙂 

 

Thanks,

Kunal Tupe

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

[ Edited ]
‎03-11-2017 09:28 AM

Andy,

 

Trying your code, when I disable ge-0/0/4 on a  EX2300, the body does not show anything.

 

This is the Title of the email;

 

Config change recorded on "CORPTEST"

 

Body of email is blank, is that normal for disabling a port.?

JNCIA-Junos
Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎03-11-2017 09:49 AM

Hi,

 

Do you get the body message populated with valid data for a change other than disabling an interface?

Just trying to see if it's a general issue for _any_ configuration change, or something more specific.

 

Is the script working on other device models?  I've certainly not tried this on an EX2300, so can't say for sure what the exact cause of this behaviour is.

 

The script was intended to generate a message based on a commit event being detected.  Since the email is being sent, then obviously the trigger is taking place.   Now, if could be that there are issues with the 2 RPC's that are called:

<get-commit-information>

<get-rollback-information>

 

The latter RPC being called twice, once to obtain rollback 0 in text format, and a second time to generate a comparison between rollbacks 1 and 0 (the diff report).

 

So it is possible that something is breaking down in that process that is causing the message body not to get created accurately??

 

My approach to debug this would be to convert the script to an "op" script, e.g copy it to /var/db/scripts/op and change <event-script-results> to <op-script-results>  .   Then you'd be able to execute the script from the CLI and see what happens, and add appropriate debug statements to try and analyze the data at different steps etc.

 

Regards,

Andy

 

Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎03-12-2017 01:13 PM

Andy,

 

Let me give that a try. I have several other switches I could try it on, but they are in production, maybe changing SNMP value might be good enough to test it.

 

Thanks

Tom

JNCIA-Junos
Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎03-13-2017 05:02 AM

Andy,

 

Loading it on a EX2300 and EX3200, same issue.

Not so good at slax, can you put in some debug lines for me to test.?

 

I changed the sleep time to 25, still the same results, no text in the body.

 

Thanks

Tom

JNCIA-Junos
Highlighted
Junos Automation (Scripting)

Re: Help required in writing a script to log the changes (set/delete) done after commit

‎04-03-2017 07:13 AM

I have requested assistance from JTAC on this, as no matter what I use, even a small OP script with sending a plain text email, it sends the email, but no body in the email.!

JNCIA-Junos
Feedback