Junos
Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎05-07-2010 02:30 AM

It probably wouldnt be foolproof, but if you use the output from the  <get-system-users-information> table, your script might be able to determine who was running it at the time.   This returns the following xml:

 

<uptime-information>
...
	<user-table>
		<user-entry>
			<user>vaniderstine</user>
			<tty>p0</tty>
			<from>172.16.126.245</from>
			<login-time junos:seconds="1273217186">3:26AM</login-time>
			<idle-time junos:seconds="1">-</idle-time>
			<command>-cli (cli)</command>
		</user-entry>
		<user-entry>
			...
		</user-entry>
	</user-table>
</uptime-information>

 If you can determine what the <command> field will be for your users running your script, you can extract the user field from the appropriate row.

 

BTW, I'm running 10.1R1.8 on an EX4200, and have not yet tried it on a J6350 or SRX-210,  so you mileage may vary.

 

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
13 REPLIES 13
Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎10-02-2009 09:12 AM
Bummer, looks like <get-authorization-information> returns the local user name, just like the $user parameter.  I'll let the developers know, it would be useful to have an easy way to learn the RADIUS name.  For now it looks like you'll need to keep manually including the true name as a argument to your op script.  (Or use the op + event approach I provided once you upgrade to 9.3 or beyond).
Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎10-02-2009 09:04 AM

Interesting...

 

 

{master} josh@router01> op test User Name: Engineer Class: super-user

 

This is the local user template that I my radius account is associated with.  We have a many to one association of radius usernames to local template usernames.  Ie, bob, harry and I are all using the 'Engineer' template, while sam, mike and susan are using the 'Noc' template.

 

This is better than nothing, but doesn't show the radius name.

 

Maybe we could extract this information.

 

 

{master} josh@router01> show system users no-resolve 10:54AM up 4 days, 15:19, 1 user, load averages: 0.08, 0.07, 0.02 USER TTY FROM LOGIN@ IDLE WHAT josh p0 72.2.3.4 10:32AM - -cli (cli) {master} josh@router01> show system users no-resolve | display xml <rpc-reply xmlns:junos="http://xml.juniper.net/junos/9.2R3/junos"> <system-users-information xmlns="http://xml.juniper.net/junos/9.2R3/junos"> <uptime-information> <date-time junos:seconds="1254498895">10:54AM</date-time> <up-time junos:seconds="400758">4 days, 15:19</up-time> <active-user-count junos:format="1 user">1</active-user-count> <load-average-1>0.07</load-average-1> <load-average-5>0.06</load-average-5> <load-average-15>0.02</load-average-15> <user-table> <user-entry> <user>josh</user> <tty>p0</tty> <from>72.2.3.4</from> <login-time junos:seconds="1254497542">10:32AM</login-time> <idle-time junos:seconds="0">-</idle-time> <command>-cli (cli)</command> </user-entry> </user-table> </uptime-information> </system-users-information> <cli> <banner>{master}</banner> </cli> </rpc-reply>

 

The problem with this approach is this output shows you all logged in users currently, but doesn't tell us which one is 'me'.  Most of the time, there is only one user logged in, but what do you have the script do when there is more than one?

 

I'd be happy to at least incorporate the local user template that is in use.  

 

 

 

 

Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎10-02-2009 05:34 AM

Sorry, I should have been more specific, yes I was hoping you'd run it as an op script.  Change the "match configuration" to "match /" and it should run.  "match configuration" is the main template for commit scripts, but op and event scripts require "match /" to be their main template in order to run.

 

Also, make sure the o in output is lower-case.  I think the auto-smilies in the message-board altered the syntax of my example.

Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎10-01-2009 11:37 PM

I wasn't sure how you wanted me to run this, so I set it up as an op script.  I believe the jcsSmiley Surprisedutput command is supposed to print out the user and class, right?  This is what I applied, and it doesn't return anything (null)

 

 

% vi /var/db/scripts/op/test.slax version 1.0; ns junos = "http://xml.juniper.net/junos/*/junos"; ns xnm = "http://xml.juniper.net/xnm/1.1/xnm"; ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0"; import "../import/junos.xsl"; match configuration { var $results = jcs:invoke( "get-authorization-information" ); expr jcs:Output( "User Name: ", $results/user-information/user ); expr jcs:Output( "Class: ", $results/user-information/user-class ); } {master} josh@router01> op test {master} josh@router01>

 

 

 

Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎10-01-2009 11:00 AM

I recently learned that the <get-authorization-information> RPC might return the RADIUS/TACACS username rather than the local user name.  Could you run the following on your JUNOS device and verify which name it returns?

 

        var $results = jcs:invoke( "get-authorization-information" );
        expr jcsSmiley Surprisedutput( "User Name: ", $results/user-information/user );
        expr jcsSmiley Surprisedutput( "Class: ", $results/user-information/user-class );

 

Assuming it returned the correct name, that would allow you to log the RADIUS name automatically rather than requiring an extra command-line argument.

Junos

JunosScript: Op script used to write notes to a custom log file

‎09-23-2009 01:34 PM

So, from time to time, we have something happen that is unexplained, and we have to live with not knowing the root cause.  Two examples that have come up recently are a PEM not coming online after a power outage, but working fine after turning it on and then off, and also a Gig link to a customer going down for about a minute and coming right back up.  Neither is hugely alarming, but if either were to happen more than once, we'd want to know and correlate the beginning of a pattern.

 

To document this, we've used the filesystem on our routers.

 

 

{master} josh@router01> start shell % echo "Sep 23 15:28:00 PEM0 failed to come online after a complete power failure. Other PEM's were online, but PEM0 stuck in 'Present' state. turning PEM0 on and then off brought it back into working state. -Josh" >> /var/log/engineer % exit exit {master} josh@router01> show log engineer Sep 23 15:28:00 PEM0 failed to come online after a complete power failure. Other PEM's were online, but PEM0 stuck in 'Present' state. turning PEM0 on and then off brought it back into working state. -Josh

 

This works fairly well, and is a great way to keep notes right on the router, about anything that happens unique to that router (ie, card or optic installation, replacement, anomalies, etc)

 

I'm interested in creating an op script that will write to a file in /var/log the same way, but I'm unsure how to do so (I have loaded a couple of op scripts successfully, but I'm unsure what commands would be used to write to a file like this)

 

 

user@router01> op lognote "place message here" ** Note Logged. 'show log notes' to view. user@router01> show log notes Sep 23 15:28:00 user: place message here

 

 Basically, I'd like to avoid dropping to shell, and reduce steps to make a note like this.

 

Thanks much for help accomplishing this!

 

 

 

Highlighted
Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎09-23-2009 02:15 PM

Here is a basic op script that accomplishes what you want.  You can polish it up and add error checking or any other capability you'd like:

 

jnpr@r2d2-re0> op log-note text "This is my first comment!"
Note logged.  Enter 'show log notes' to view.

jnpr@r2d2-re0> op log-note text "Is it lunch time yet?"
Note logged.  Enter 'show log notes' to view.

jnpr@r2d2-re0> op log-note text "Why does legal want to talk to me?"
Note logged.  Enter 'show log notes' to view.

jnpr@r2d2-re0> show log notes
Wed Sep 23 14:09:18 2009 jnpr: This is my first comment!

Wed Sep 23 14:09:53 2009 jnpr: Is it lunch time yet?

Wed Sep 23 14:10:02 2009 jnpr: Why does legal want to talk to me?

jnpr@r2d2-re0> file list detail /var/log/notes
-rwxrwxrwx  1 jnpr  staff        178 Sep 23 14:10 /var/log/notes*
total 1

Note that creating a file in /var/log requires superuser access (or the maintenance bit perhaps?)

 

There isn't a way to append to a file via scripting, that I know of, so the current log has to be read and then the file rewritten entirely with the new comment appended.

Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎09-23-2009 02:29 PM

Fantastic!

 

A couple of questions though.  First, is the 'text' argument.  Is this necessary?  What other values for this first argument did you think might be useful?

 

Second, we're using Radius authentication, and apparently, my radius user falls under the local 'root' account:

 

 

{master} josh@router01> op log-note text test Note logged. Enter 'show log notes' to view. {master} josh@router01> show log notes Wed Sep 23 16:24:04 2009 root: test

 This appears to be from the built in variable $user.  Any ideas how to find out the radius accoun/login name?

 

 

Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎09-23-2009 02:38 PM

Op script arguments have to be named, but the name isn't important, you can change text to be whatever you like.

 

I don't know how to get the radius username, I don't believe there is a direct way to do it.  The only parameter provided into the script related to the user is $user and apparently that refers to the local account.  It would be nice to get two separate values, one for the local account and one for the radius user, but that is not currently available.

 

What does the interactive commands log file show as the username for the CLI commands you type?  Root or the radius username?  If it shows the radius username then I have an idea for a workaround, if not then you might have to have them enter it manually.

Junos

Re: JunosScript: Op script used to write notes to a custom log file

[ Edited ]
‎09-23-2009 02:42 PM

Here is the syslog message I'm referring to:

 

Sep 23 14:09:18  r2d2-re0 mgd[23807]: UI_CMDLINE_READ_LINE: User 'jnpr', command 'op log-note text "This is my first comment!" '

What username is reported there on your JUNOS device?

 

Message Edited by ccall on 09-23-2009 02:43 PM
Junos

Re: JunosScript: Op script used to write notes to a custom log file

[ Edited ]
‎09-23-2009 02:49 PM

It shows the Radius username:

 

 

Sep 23 16:51:22 router01 mgd[28030]: UI_CMDLINE_READ_LINE: User 'josh', command 'op log-note text test6 '
Sep 23 16:51:22 router01 file[28851]: UI_AUTH_EVENT: Authenticated user 'SUPERUSER' at permission level 'j-super-user'
Sep 23 16:51:22 router01 file[28851]: UI_LOGIN_EVENT: User 'josh' login, class 'j-super-user' [28851]
Sep 23 16:51:22 router01 file[28851]: UI_JUNOSCRIPT_CMD: User 'josh' used JUNOScript client to run command 'file-list style=detail path=/var/log/notes'
Sep 23 16:51:22 router01 file[28851]: UI_CHILD_START: Starting child '/bin/sh'
Sep 23 16:51:22 router01 file[28851]: UI_CHILD_STATUS: Cleanup child '/bin/sh', PID 28852, status 0
Sep 23 16:51:22 router01 file[28851]: UI_LOGOUT_EVENT: User 'josh' logout
Sep 23 16:51:22 router01 file[28854]: UI_AUTH_EVENT: Authenticated user 'SUPERUSER' at permission level 'j-super-user'
Sep 23 16:51:22 router01 file[28854]: UI_LOGIN_EVENT: User 'josh' login, class 'j-super-user' [28854]
Sep 23 16:51:22 router01 file[28854]: UI_JUNOSCRIPT_CMD: User 'josh' used JUNOScript client to run command 'file-get filename=/var/log/notes encoding=ascii'
Sep 23 16:51:22 router01 file[28854]: UI_LOGOUT_EVENT: User 'josh' logout
Sep 23 16:51:22 router01 file[28855]: UI_AUTH_EVENT: Authenticated user 'SUPERUSER' at permission level 'j-super-user'
Sep 23 16:51:22 router01 file[28855]: UI_LOGIN_EVENT: User 'josh' login, class 'j-super-user' [28855]
Sep 23 16:51:22 router01 file[28855]: UI_JUNOSCRIPT_CMD: User 'josh' used JUNOScript client to run command 'file-put filename=/var/log/notes permission=777 encoding=ascii delete-if-exist file-contents=/var/log/notes.Zt7wb'
Sep 23 16:51:22 router01 file[28855]: UI_LOGOUT_EVENT: User 'josh' logout

 

 

 Is a list of known internal variables documented somewhere (according to JUNOS release) ?

Message Edited by JoshTX on 09-23-2009 03:17 PM
Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎09-23-2009 03:58 PM

For a list of the current default script parameters you can consult the new "Applying JUNOS Automation" Day One Guide:

http://junos.juniper.net/Day-One-Guides/

 

I created a workaround, but it requires JUNOS 9.3 so hopefully you are at that version or above.  To work, the updated log-note.slax script must be enabled as both an op script and as an event script:

 

Copied to:

/var/db/scripts/op

/var/db/scripts/event

 

Enabled:

set system scripts op file log-note.slax

set event-options event-script file log-note.slax

 

Here is the new script logic:

User executes op log-note text "something" from the command line - the script pauses for a couple seconds and then returns a message.

However, the act of executing the op script resulted in a JUNOS event which spawned the log-note.slax script - as an event script.  When run as an event script it extracts the username and command that was executed and then appends everything to the file.

 

The main difference is that you won't get any feedback about errors at the command-line, instead they will show up in the syslog.  And there isn't any restriction on who can write to the file because the event script is run by root, so root can create the /var/log/notes file no matter who was the first person to log to it.

 

Please let me know if this works or not, I don't have radius authentication on my test system.

Junos

Re: JunosScript: Op script used to write notes to a custom log file

‎09-23-2009 06:55 PM

Unfortunately, I'm still running 9.2, so I won't be able to try it.  I REALLY appreciate the examples though.  I'll add an argument for username, and feel that I'll learn quite a bit from this example. 

 

Thank you.

 

-Josh