- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Configuration-Change Logging
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-16-2016 12:19 PM
тАО03-16-2016 12:19 PM
Configuration-Change Logging
Hello,
How do I comply with PCI DSS requirement 10.2.2 when using a Procurve switch?
(https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf)
The core of this requirment is that all changes done on the switch must be logged. Using "logging notify running-config-change" only notifies that a change has been made not what was changed. And also send it to a syslog server.
On a cisco switch it is quite easy:
(http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html) Chapter "Enabling the Configuration-Change Logger"
How do I do it on a procurve switch?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-16-2016 12:22 PM
тАО03-16-2016 12:22 PM
Re: Configuration-Change Logging
This is what I did to meet that requirement for a customer. They are using IMC for management, so that is the IP address used.
config t
logging <log-host-ip>
logging facility syslog
logging notify running-config-change transmission-interval 10
aaa accounting exec start-stop syslog
aaa accounting commands stop-only syslog
end
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2016 07:22 AM
тАО03-17-2016 07:22 AM
Re: Configuration-Change Logging
Hi,
I have done some more investigation and I can only run the following command syslog is not supported on my 2910al:
aaa accounting commands stop-only radius
The switch send the accounting to the microsoft NPS server and In the logfile I see this:
<Vendor-Specific data_type="2">0000000B020C73686F7720766C616E73</Vendor-Specific>
The above when translated from hexadecimal to "Show vlans" which was the command I issued. How do I get the NPS to convert this from Hexadecimal to string?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-28-2016 08:26 PM
тАО03-28-2016 08:26 PM
Re: Configuration-Change Logging
2910al does support "logging notify running...", you may need to upgrade firmware to the latest available (I'm using W.15.14.0011).
Regarding NPS and hex to string, you'd probably need to use a platform that supports the vendor specific attribute described. I'd assume that would be a HPE product, like IMC. Unfortunely I don't use that, so I can't check...