Yes, starting the new V4.20 release (which just started shipping within the last several weeks). The feature allows you to forward the OneView audit logs to a remote syslog server. 

The powershell command is for a older feature that's has been in OneView from early on. That feature configures specific managed devices (e..g. iLO, OAs, some ICMs) to forward their syslogs to a remote syslog server. 

Hello Peter,

thanks for sharing this interesting news.

Any plans to implement forwarding of all events and activities and not audit logs only?

Having auditing events captured externaly is a good start from a compliance point of view but having OneView's deep integration into the HPE hardware environment as source for getting hardware events into syslog would be really great.

Regards,

Daniel

Most all HW events are forward today as SNMP traps (not via syslog). Those are the specific events from the managed devices. For the OneView alerts in general, there is the State Change Message Bus (and AMPQ-based message bus). You'd need a 'connector' to listen on the bus and place the data in syslog (or splunk or whatever). You could check in the OneView section of HPE's github to see if anyone has developed a canned integration for that. For example, https://github.com/HewlettPackard/oneview-redfish-toolkit look like it does some of what you are after. 

Hello Peter,

thanks for your sugestion - will have a look into this.

A native syslog implementation would still be highly apreciated.

Regards,

Daniel

You May check online help of Oneview

Title       "Manage audit log forwarding"

You should have Privileges: Infrastructure administrator.

From the main menu, select Settings > Security.

Click the Edit icon in the Security panel or select Actions > Edit.

On the Edit Security screen, under Audit Log, enable Audit log forwarding

For more details refer OneView Online help

Am I wrong or are the audit logs not in proper syslog format?  I can forward to our syslog server but because the hostname is not included with each log it does not know how to classify it.  Any way to add the name of the oneview appliance to the audit log?

Is there a place I need to enter the hostname in order for the audit log to pick it up properly?

Can this be modified in any way?  I'm not seeing any name in my logs.

What logger are you using for your consolidated logging?

The only short term workaround is to fix it the server-side. For eample, if using rsyslog as the consolidated logger, add a stanza for the appliance that changes the message to use the FQDN. For example:

 $template appliance1, "%TIMESTAMP% myappliance.example.com %syslogtag%%msg:::sp\
-if-no-1st-sp% %msg:::drop-last-lf%\n"
:hostname, isequal, "ci-005056bf4078" /var/log/messages;appliance1
& ~

There would be an equivalent technique for syslog-ng. It's not pretty, but could tide you over until a fix is avaialble. 

There is no appliance name to modify off of server side as there is no appliance name in the logs.  

2019-06-03 15:23:06.928 UTC,clrm,,localhost,System,,,,SUCCESS,LOGOUT,INFO,hypervisor-managers,,Logout from vCenter aplvcsap1.mmacct.root.mds successful.
2019-06-03 15:24:11.382 UTC,Certs,,mmacct.root.mds,xxvmoneview,,,170.11.194.86,SUCCESS,ACCESS,INFO,CERT,,Retrieval of RabbitMQ Client Certificate and the Private key for the common name rabbitmq_readonly is successful.
2019-06-03 15:24:11.413 UTC,cert,,,xxvmoneview,LTIzNzk2OTYxNjAz,,,SUCCESS,ACCESS,INFO,SETTINGS,,Get all CA certificate(s) requested.
2019-06-03 15:25:51.815 UTC,logs,,mmacct.root.mds,it547adm,,,,SUCCESS,ADD,INFO,SECURITY,,Audit log forwarding test message.

OK - see my issue.  I was forwarding to a TCP port.  Updated to a UDP port and I am now seeing the logs with the ci-MAC format.  

Finding similar, appreciate the short term workaround but is there a fix going in to make FQDN configurable (or default) for Audit Log Forwarding?  I'm assuming this has been captured and being fed in to the enhancement process?

Thanks

Hi @Darren_Matthews 

The input has been taken.
This issue is being addressed in an upcoming / future patch / release.
Will update this thread once a publicly available release that contains the fix has been announced.

Regards,
Bhaskar