Junos Automation (Scripting)
Highlighted
Junos Automation (Scripting)

commit script to detect deleted items

‎03-23-2015 06:58 PM

Hello Forum

 

I want to have a commit script that intercepts the delete of certain configuration elements in the JUNOS hierarchy.  I have found that the deleted configuration is not showing up in the candidate configuration and as such my commit script has nothing to trigger on.

 

Any ideas on how to detect deletes via a commit script?

 

Thanks

5 REPLIES 5
Highlighted
Junos Automation (Scripting)

Re: commit script to detect deleted items

‎03-24-2015 03:41 AM

Hello,

I don't think You even need a commit script to detect that.

An event-policy matching on "UI_CMDLINE_READ_LINE" or "UI_CFG_AUDIT_OTHER" event containing "delete" should suffice:

 

aarseniev@mx480-re0> show log messages.0.gz | grep UI_ | grep delet 
Mar 17 14:30:34  mx480-re0 mgd[57977]: %INTERACT-6-UI_CMDLINE_READ_LINE: User 'aarseniev', command 'delete configuration '
Mar 17 14:30:34  mx480-re0 mgd[57977]: %CHANGE-6-UI_CFG_AUDIT_OTHER: User 'aarseniev' delete: [system archival configuration]

 

{master}
aarseniev@mx480-re0> help syslog CFG_AUDIT_OTHER 
Name:          UI_CFG_AUDIT_OTHER
Message:       User '<username>' <action>: <pathname> <delimiter><value>
Help:          Configuration object was deleted, activated, or deactivated
Description:   The indicated user deleted, activated, or deactivated a configuration object, as indicated. The
               Junos configuration log facility logged the change.
Type:          Event: This message reports an event, not an error
Severity:      info
Facility:      ANY

 

So Your event-policy should look like:

 

aarseniev@mx480-re0# show | compare 
[edit event-options]
+ policy bark-on-delete {
+     events CFG_AUDIT_OTHER;
+     attributes-match {
+         "{$$.action}" matches delete;
+         "{$$.pathname}" matches <<whatever>>;
+     }
+     then {
+         execute-commands {
+             commands {
+                 "raise hell";
+             }
+         }
+     }
+ }

 

HTH

Thanks

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Junos Automation (Scripting)

Re: commit script to detect deleted items

‎03-24-2015 03:54 AM
That looks interesting, I was not aware of this feature. Can the execute commands be based on values from the detected delete command? Eg if I wanted to change an interface del into an interface disable could I pull out the interface identifier?
Highlighted
Junos Automation (Scripting)

Re: commit script to detect deleted items

‎03-24-2015 03:55 AM
Also thanks for the quick response!
Highlighted
Junos Automation (Scripting)

Re: commit script to detect deleted items

‎03-24-2015 03:58 AM
I should add I was thinking commit script as the delete I want to intercept will fail unless its modified. The delete is triggered by an automated system that I want to avoid changing and was hoping to work around it using junos.
Highlighted
Junos Automation (Scripting)

Re: commit script to detect deleted items

‎03-24-2015 04:42 AM

Hello,

 


@stephen.gradzki wrote:
That looks interesting, I was not aware of this feature. Can the execute commands be based on values from the detected delete command? Eg if I wanted to change an interface del into an interface disable could I pull out the interface identifier?

Yes You can but You will need to use SLAX event-script to parse "<pathname> <delimiter><value>" string to extract interface name and possibly unit.

 

 

 


@stephen.gradzki wrote:

I should add I was thinking commit script as the delete I want to intercept will fail unless its modified. The delete is triggered by an automated system that I want to avoid changing and was hoping to work around it using junos.



The "fail" requirement can be met by logging out the corresponding user (presumably, You use a unique login username for automated system) who's done the wrong change.

And if the automated system use "edit private", then its changes will disappear on logout as well.

One important thing You need to take care of is timing - the event-policy+event-script could be acting slower than You think and log out automated user AFTER the changes are committed, so inserting a pause into automated system' script would help a lot.

HTH

Thanks

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Feedback