SYSLOG configuration

Summerfest · ‎02-17-2017

Hello,

I have a number of different models of switches and would like to standardize the configuration for syslog output on them.

Does any know of a good resource for syslog facilities and severities that I might be able to reference related to HP / Aruba switches?

I'm specifically looking to get loggoing outpout to show who changed VLANs on a particiular port.

I have a syslog server running and my configs currently contain the following information:

logging [SYSLOG SERVER IP ADDRESS]
logging system-module ip
logging notify running-config-change

I see entries similar to the following when I make a change to a ports VLAN configuration through the Menu in the CLI

The top line tells me that my username '[MY USERNAME REMOVED]' initiated a Running Config Change but not what it was and it does show my originating IP Address "[MY IP REMOVED]"

And the next 5 lines tell me nothing besides Username "Unknown" made a change and that the remote IP Address is 0.0.0.0

I would like to know who made this change and what the affected ports are.

Any assitance wold be extremely helpful!

* Begin Output *

Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='196',Config-Method='MENU',Device-Name='TEST-SWITCH',User-Name='[MY USERNAME REMOVED]',Remote-IP-Address="[MY IP REMOVED]"
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='197',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='198',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
Jan 17 20:27:41 [SWITCH SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='199',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='200',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='201',Config-Method='INTERNAL',Device-Name='100-TEST-SWITCH-100',User-Name='Unknown',Remote-IP-Address='0.0.0.0'

Michael Patmon · ‎02-23-2017

"Notify running-config-change" only tells you that the config was changed and not how. I think you might want command accouting. It'll give you logging info like this:

Feb 23 19:58:01 128.44.0.2 acct: Acct-Session-ID='0x08A6000000FB',Acct-Status-Type='Stop',NAS-Identifier='patmon-core-sws',User-Name='mpatmon',Acct-Authentic='',Calling-Station-Id='128.44.120.99',HP-Command-String='vlan 15 untagged 19'

You can send that to Radius, Tacacs, or syslog:

(config)# aaa accounting commands stop-only
radius                Use RADIUS for accounting.
syslog                Use syslog for accounting.
tacacs                Use TACACS+ for accounting.

As for the 0.0.0.0 typically that means the change happened on the serial console session, so there is no IP to log. Also, I do not believe accounting will log commands executed within the menu.

For more info on command accountting check the "Access Security Guide" for you product. I could not a good reference for syslog, I will look into that.

SYSLOG configuration

SYSLOG configuration

Re: SYSLOG configuration

Hewlett Packard Enterprise International