HPE Community
Aruba & ProVision-based
1753416 Members
7668 Online
108793 Solutions
New Discussion

Re: SYSLOG configuration

 
Summerfest
Occasional Contributor

‎02-17-2017 12:48 PM - edited ‎02-17-2017 12:49 PM

‎02-17-2017 12:48 PM - edited ‎02-17-2017 12:49 PM

SYSLOG configuration

Hello,

I have a number of different models of switches and would like to standardize the configuration for syslog output on them.

Does any know of a good resource for syslog facilities and severities that I might be able to reference related to HP /  Aruba switches?

I'm specifically looking to get loggoing outpout to show who changed VLANs on a particiular port.

I have a syslog server running and my configs currently contain the following information:

logging [SYSLOG SERVER IP ADDRESS]
logging system-module ip
logging notify running-config-change

 

I see entries similar to the following when I make a change to a ports VLAN configuration through the Menu in the CLI

The top line tells me that my username '[MY USERNAME REMOVED]' initiated a Running Config Change but not what it was and it does show my originating IP Address "[MY IP REMOVED]"

And the next 5 lines tell me nothing besides Username "Unknown" made a change and that the remote IP Address is 0.0.0.0

I would like to know who made this change and what the affected ports are.

Any assitance wold be extremely helpful!

* Begin Output *

Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='196',Config-Method='MENU',Device-Name='TEST-SWITCH',User-Name='[MY USERNAME REMOVED]',Remote-IP-Address="[MY IP REMOVED]"
 Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='197',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
 Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='198',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
 Jan 17 20:27:41 [SWITCH SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='199',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
 Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='200',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
 Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='201',Config-Method='INTERNAL',Device-Name='100-TEST-SWITCH-100',User-Name='Unknown',Remote-IP-Address='0.0.0.0'

0 Kudos
1 REPLY 1
Michael Patmon
Trusted Contributor

‎02-23-2017 08:05 PM

‎02-23-2017 08:05 PM

Re: SYSLOG configuration

"Notify running-config-change" only tells you that the config was changed and not how.  I think you might want command accouting.  It'll give you logging info like this:

Feb 23 19:58:01 128.44.0.2 acct: Acct-Session-ID='0x08A6000000FB',Acct-Status-Type='Stop',NAS-Identifier='patmon-core-sws',User-Name='mpatmon',Acct-Authentic='',Calling-Station-Id='128.44.120.99',HP-Command-String='vlan 15 untagged 19'

You can send that to Radius, Tacacs, or syslog:

(config)# aaa accounting commands stop-only
 radius                Use RADIUS for accounting.
 syslog                Use syslog for accounting.
 tacacs                Use TACACS+ for accounting.

As for the 0.0.0.0 typically that means the change happened on the serial console session, so there is no IP to log.  Also, I do not believe accounting will log commands executed within the menu.

For more info on command accountting check the "Access Security Guide" for you product.  I could not a good reference for syslog, I will look into that.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.