- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: SYSLOG configuration
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2017 12:48 PM - edited 02-17-2017 12:49 PM
02-17-2017 12:48 PM - edited 02-17-2017 12:49 PM
SYSLOG configuration
Hello,
I have a number of different models of switches and would like to standardize the configuration for syslog output on them.
Does any know of a good resource for syslog facilities and severities that I might be able to reference related to HP / Aruba switches?
I'm specifically looking to get loggoing outpout to show who changed VLANs on a particiular port.
I have a syslog server running and my configs currently contain the following information:
logging [SYSLOG SERVER IP ADDRESS]
logging system-module ip
logging notify running-config-change
I see entries similar to the following when I make a change to a ports VLAN configuration through the Menu in the CLI
The top line tells me that my username '[MY USERNAME REMOVED]' initiated a Running Config Change but not what it was and it does show my originating IP Address "[MY IP REMOVED]"
And the next 5 lines tell me nothing besides Username "Unknown" made a change and that the remote IP Address is 0.0.0.0
I would like to know who made this change and what the affected ports are.
Any assitance wold be extremely helpful!
* Begin Output *
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='196',Config-Method='MENU',Device-Name='TEST-SWITCH',User-Name='[MY USERNAME REMOVED]',Remote-IP-Address="[MY IP REMOVED]"
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='197',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='198',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
Jan 17 20:27:41 [SWITCH SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='199',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='200',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='201',Config-Method='INTERNAL',Device-Name='100-TEST-SWITCH-100',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
- Tags:
- syslog
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2017 08:05 PM
02-23-2017 08:05 PM
Re: SYSLOG configuration
"Notify running-config-change" only tells you that the config was changed and not how. I think you might want command accouting. It'll give you logging info like this:
Feb 23 19:58:01 128.44.0.2 acct: Acct-Session-ID='0x08A6000000FB',Acct-Status-Type='Stop',NAS-Identifier='patmon-core-sws',User-Name='mpatmon',Acct-Authentic='',Calling-Station-Id='128.44.120.99',HP-Command-String='vlan 15 untagged 19'
You can send that to Radius, Tacacs, or syslog:
(config)# aaa accounting commands stop-only
radius Use RADIUS for accounting.
syslog Use syslog for accounting.
tacacs Use TACACS+ for accounting.
As for the 0.0.0.0 typically that means the change happened on the serial console session, so there is no IP to log. Also, I do not believe accounting will log commands executed within the menu.
For more info on command accountting check the "Access Security Guide" for you product. I could not a good reference for syslog, I will look into that.