I have a number of different models of switches and would like to standardize the configuration for syslog output on them.
Does any know of a good resource for syslog facilities and severities that I might be able to reference related to HP / Aruba switches?
I'm specifically looking to get loggoing outpout to show who changed VLANs on a particiular port.
I have a syslog server running and my configs currently contain the following information:
logging [SYSLOG SERVER IP ADDRESS] logging system-module ip logging notify running-config-change
I see entries similar to the following when I make a change to a ports VLAN configuration through the Menu in the CLI
The top line tells me that my username '[MY USERNAME REMOVED]' initiated a Running Config Change but not what it was and it does show my originating IP Address "[MY IP REMOVED]"
And the next 5 lines tell me nothing besides Username "Unknown" made a change and that the remote IP Address is 0.0.0.0
I would like to know who made this change and what the affected ports are.
Any assitance wold be extremely helpful!
* Begin Output *
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='196',Config-Method='MENU',Device-Name='TEST-SWITCH',User-Name='[MY USERNAME REMOVED]',Remote-IP-Address="[MY IP REMOVED]" Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='197',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0' Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='198',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0' Jan 17 20:27:41 [SWITCH SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='199',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0' Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='200',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0' Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='201',Config-Method='INTERNAL',Device-Name='100-TEST-SWITCH-100',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
"Notify running-config-change" only tells you that the config was changed and not how. I think you might want command accouting. It'll give you logging info like this:
Feb 23 19:58:01 128.44.0.2 acct: Acct-Session-ID='0x08A6000000FB',Acct-Status-Type='Stop',NAS-Identifier='patmon-core-sws',User-Name='mpatmon',Acct-Authentic='',Calling-Station-Id='128.44.120.99',HP-Command-String='vlan 15 untagged 19'
You can send that to Radius, Tacacs, or syslog:
(config)# aaa accounting commands stop-only radius Use RADIUS for accounting. syslog Use syslog for accounting. tacacs Use TACACS+ for accounting.
As for the 0.0.0.0 typically that means the change happened on the serial console session, so there is no IP to log. Also, I do not believe accounting will log commands executed within the menu.
For more info on command accountting check the "Access Security Guide" for you product. I could not a good reference for syslog, I will look into that.
