Community
Aruba & ProVision-based
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuration-Change Logging

 
Fleischen
Fleischen
Occasional Advisor

‎03-16-2016 12:19 PM

‎03-16-2016 12:19 PM

Configuration-Change Logging

Hello,

How do I comply with PCI DSS requirement 10.2.2 when using a Procurve switch?
(https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf)

The core of this requirment is that all changes done on the switch must be logged. Using "logging notify running-config-change" only notifies that a change has been made not what was changed. And also send it to a syslog server.

On a cisco switch it is quite easy:

(http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html) Chapter "Enabling the Configuration-Change Logger"

How do I do it on a procurve switch?

Thanks!

0 Kudos
Reply
3 REPLIES 3
Dave Harrold
Dave Harrold
Advisor

‎03-16-2016 12:22 PM

‎03-16-2016 12:22 PM

Re: Configuration-Change Logging

This is what I did to meet that requirement for a customer.  They are using IMC for management, so that is the IP address used.

config t
logging <log-host-ip>
logging facility syslog
logging notify running-config-change transmission-interval 10
aaa accounting exec start-stop syslog
aaa accounting commands stop-only syslog
end

Dave

0 Kudos
Reply
Fleischen
Fleischen
Occasional Advisor

‎03-17-2016 07:22 AM

‎03-17-2016 07:22 AM

Re: Configuration-Change Logging

Hi,

I have done some more investigation and I can only run the following command syslog is not supported on my 2910al:

aaa accounting commands stop-only radius

The switch send the accounting to the microsoft NPS server and In the logfile I see this:

<Vendor-Specific data_type="2">0000000B020C73686F7720766C616E73</Vendor-Specific>

The above when translated from hexadecimal to "Show vlans" which was the command I issued. How do I get the NPS to convert this from Hexadecimal to string?

0 Kudos
Reply
Stephen A Swain
Stephen A Swain
Advisor

‎03-28-2016 08:26 PM

‎03-28-2016 08:26 PM

Re: Configuration-Change Logging

2910al does support "logging notify running...", you may need to upgrade firmware to the latest available (I'm using W.15.14.0011).

Regarding NPS and hex to string, you'd probably need to use a platform that supports the vendor specific attribute described. I'd assume that would be a HPE product, like IMC. Unfortunely I don't use that, so I can't check...

 

 

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.