Aruba & ProVision-based
1748224 Members
4557 Online
108759 Solutions
New Discussion юеВ

Re: Procurve Audit Logging

 
Fleischen
Occasional Advisor

Procurve Audit Logging

Ha have a number of 2910al switches on which i need to configure logging for auditing e.g I need to send all of the cli commands and changes to a syslog server. How do I accomplish this?

 

Thank you

9 REPLIES 9
JohnLockie
Occasional Advisor

Re: Procurve Audit Logging

Did you try the command "logging <server IP>"?

 

So if your syslog server is at 10.0.0.5 then you would do this:

 

switch#configure terminal

switch(config)#logging 10.0.0.5

 

Change the severity also depending on your needs

 

switch(config)#logging severity <major/error/warning/info/debug>

Fleischen
Occasional Advisor

Re: Procurve Audit Logging

Yes. But that does not include CLI commands
John Gelten
Regular Advisor

Re: Procurve Audit Logging

You might want to look into command authorization through radius (aaa authorization commands radius). Even if you configure the radius-server to always allow any command, it leaves you with very good logging of the commands entered.

In my view this is even more reliable than using syslog, because you could configure your devices to become unmanagable when radius is unavailable. In that case, just don't let your radius-server allow commands that change radius-config... When relying on syslog, I could stop the logging and do whatever I want on the switch without you knowing what I did.

 

Indeed, I like to think worst-case...

It obviously depends on what kind of auditing you are trying to accomplish. But as you have noticed, commands don't get logged to syslog on most ProCurve-gear...

Fleischen
Occasional Advisor

Re: Procurve Audit Logging

Hi,

 

I'll try that!

Fleischen
Occasional Advisor

Re: Procurve Audit Logging

HI again,

 

I have implemented the "aaa authorization commands radius" using NPS. However the commands are not written to any logs.. I could imagine that the procurve switch reads the authorized commands from the Radius server and only allow those commands to be executed.

 

 

Will a TACAS server help?

 

jguse
HPE Pro

Re: Procurve Audit Logging

Hello Fleischen,

I'm not aware of "aaa authorization commands radius" logging anything anywhere. Its purpose is to limit the amount of commands that a user can use on the switch.

See for example http://h30499.www3.hp.com/t5/Switches-Hubs-Modems-Legacy-ITRC/commands-authorization-RADIUS-Server/td-p/4574706#.UaXQKZxRjn4

The feature you are looking for does not exist (yet) on the W.xx Provision software branch, as far as I know.

It was specifically requested as an Enhancement for the K-branch software by an enterprise customer, and was implemented in a special build just for this purpose, K.15.06.1002 - which you can find on the website for download: https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=J9539A

Enhancement (PR_0000069196) - Log All Config Changes

If you need this feature on the 2910al, the only way to have it implemented is to open an Enhancement Request via your HP Sales or Account Management contact.

Hope that helps.
Best regards,
Justin

Working @ HPE
Accept or Kudo
Marcus J
Frequent Advisor

Re: Procurve Audit Logging

do you have to use just that software image or is it implemented in newer releases?

We are today running K.15.09.0012.

Peter_Debruyne
Honored Contributor

Re: Procurve Audit Logging

Hi,

 

This is an doc I made in the past to describe the NPS+radius login for the procurve switches.

Not sure if it works the same way on the 29xx however ...

 

Best regards,Peter

 

Marcus J
Frequent Advisor

Re: Procurve Audit Logging

Hi Peter,

 

Many thanks for the well written documentation of the setup!!!

 

/Marcus