3 Replies Latest reply on Nov 8, 2017 1:44 AM by sja

    Searching Juniper log messages for string and then executing a remediation script

    shoog

      Hello to the THWACK community!  This is my first post, so go easy on me

       

      TLDR: I'm looking for a way for NCM to search Juniper logs and then if it finds a specified string, run a remediation script.

       

      Backstory:  I configured Netpath and added about 15 endpoints to monitor.  The endpoint show up green and I can see the paths that traffic is taking.  So far so good.  However, my fellow networking teammates are wondering what the heck is going on because they are seeing hundreds of log messages stating that the NCM server is sending null SSH packets.  Here's a sample:

       

      Oct 30 11:22:24  ASH-P-EDGEX-S1 sshd[6990]: Did not receive identification string from 10.74.144.11

      Oct 30 11:22:24  ASH-P-EDGEX-S1 inetd[1173]: /usr/sbin/sshd[6990]: exited, status 255

      Oct 30 11:22:25  ASH-P-EDGEX-S1 sshd[6991]: Did not receive identification string from 10.74.144.11

      Oct 30 11:22:25  ASH-P-EDGEX-S1 inetd[1173]: /usr/sbin/sshd[6991]: exited, status 255

      Oct 30 11:22:27  ASH-P-EDGEX-S1 inetd[1173]: ssh from 10.74.144.11 exceeded counts/min (limit 4/min)

      Oct 30 11:22:40  ASH-P-EDGEX-S1 last message repeated 13 times

       

      I have an easy way to make my teammates happy and that is to run the following command on the Juniper switch:

           set system syslog file messages match "!(.*Did not receive identification string from 10.74.144.11.*|.*exited, status 255.*|.*ssh from 10.74.144.11 exceeded counts/min.*)"

       

      That command will suppress the switch from logging the above commands.  Great!  Teammates happy.  However, I still have those other 14 devices to do as well.  I could easily log in to each switch and run the same command, but I want to fire up the old SolarWinds Wizard Hat and see if I can solve this using Network Configuration Manager. 

       

      When I try to create a rule to look for this, it doesn't appear that I can check the log messages for a string.  All I see that I can do is search the config file. That would help me in the Cisco ASA world, but Juniper devices don't show log messages in the config file.  Is there a way to search the log messages file rather than the config file with NCM?  If I can tell it to search for those same messages above, I could then write a remediation script that executes my set command and my life will be whole again.

       

      Thanks for any help ahead of time!