cancel
Showing results for 
Search instead for 
Did you mean: 

OneView syslog

 
SOLVED
Go to solution
adamcole
Valued Contributor

OneView syslog

Does OneView have the ability to forward its logs to a syslog server?  There is a "Enable-HPOVRemoteSyslog" powershell command but the documentation is pretty vague on actual usage.

14 REPLIES 14
PeterWolfe
HPE Pro

Re: OneView syslog

Yes, starting the new V4.20 release (which just started shipping within the last several weeks). The feature allows you to forward the OneView audit logs to a remote syslog server. 

The powershell command is for a older feature that's has been in OneView from early on. That feature configures specific managed devices (e..g. iLO, OAs, some ICMs) to forward their syslogs to a remote syslog server. 


Accept or Kudo
Daniel-L
Advisor

Re: OneView syslog

Hello Peter,

thanks for sharing this interesting news.

Any plans to implement forwarding of all events and activities and not audit logs only?

Having auditing events captured externaly is a good start from a compliance point of view but having OneView's deep integration into the HPE hardware environment as source for getting hardware events into syslog would be really great.

Regards,

Daniel

PeterWolfe
HPE Pro

Re: OneView syslog

Most all HW events are forward today as SNMP traps (not via syslog). Those are the specific events from the managed devices. For the OneView alerts in general, there is the State Change Message Bus (and AMPQ-based message bus). You'd need a 'connector' to listen on the bus and place the data in syslog (or splunk or whatever). You could check in the OneView section of HPE's github to see if anyone has developed a canned integration for that. For example, https://github.com/HewlettPackard/oneview-redfish-toolkit look like it does some of what you are after. 


Accept or Kudo
Daniel-L
Advisor

Re: OneView syslog

Hello Peter,

thanks for your sugestion - will have a look into this.

A native syslog implementation would still be highly apreciated.

Regards,

Daniel

Kamalji
Advisor

Re: OneView syslog

You May check online help of Oneview

Title       "Manage audit log forwarding"

You should have Privileges: Infrastructure administrator.

From the main menu, select Settings > Security.

Click the Edit icon in the Security panel or select Actions > Edit.

On the Edit Security screen, under Audit Log, enable Audit log forwarding

For more details refer OneView Online help

Thank You!
I am a HPE employee
__________________________________________
Was the post useful? Click on the white KUDOS! Thumb below to say Thank You!
adamcole
Valued Contributor

Re: OneView syslog

Am I wrong or are the audit logs not in proper syslog format?  I can forward to our syslog server but because the hostname is not included with each log it does not know how to classify it.  Any way to add the name of the oneview appliance to the audit log?

adamcole
Valued Contributor

Re: OneView syslog

Is there a place I need to enter the hostname in order for the audit log to pick it up properly?

PeterWolfe
HPE Pro
Solution

Re: OneView syslog

Looks like the forwarded syslog entry is using the appliance's internal  hostname (ci-<appliance MAC address>) and not the user-configured appliance hostname. 


Accept or Kudo
adamcole
Valued Contributor

Re: OneView syslog

Can this be modified in any way?  I'm not seeing any name in my logs.

PeterWolfe
HPE Pro

Re: OneView syslog

What logger are you using for your consolidated logging?

The only short term workaround is to fix it the server-side. For eample, if using rsyslog as the consolidated logger, add a stanza for the appliance that changes the message to use the FQDN. For example:

 $template appliance1, "%TIMESTAMP% myappliance.example.com %syslogtag%%msg:::sp\
-if-no-1st-sp% %msg:::drop-last-lf%\n"
:hostname, isequal, "ci-005056bf4078" /var/log/messages;appliance1
& ~

There would be an equivalent technique for syslog-ng. It's not pretty, but could tide you over until a fix is avaialble. 

 


Accept or Kudo
adamcole
Valued Contributor

Re: OneView syslog

There is no appliance name to modify off of server side as there is no appliance name in the logs.  

2019-06-03 15:23:06.928 UTC,clrm,,localhost,System,,,,SUCCESS,LOGOUT,INFO,hypervisor-managers,,Logout from vCenter aplvcsap1.mmacct.root.mds successful.
2019-06-03 15:24:11.382 UTC,Certs,,mmacct.root.mds,xxvmoneview,,,170.11.194.86,SUCCESS,ACCESS,INFO,CERT,,Retrieval of RabbitMQ Client Certificate and the Private key for the common name rabbitmq_readonly is successful.
2019-06-03 15:24:11.413 UTC,cert,,,xxvmoneview,LTIzNzk2OTYxNjAz,,,SUCCESS,ACCESS,INFO,SETTINGS,,Get all CA certificate(s) requested.
2019-06-03 15:25:51.815 UTC,logs,,mmacct.root.mds,it547adm,,,,SUCCESS,ADD,INFO,SECURITY,,Audit log forwarding test message.

 

adamcole
Valued Contributor

Re: OneView syslog

OK - see my issue.  I was forwarding to a TCP port.  Updated to a UDP port and I am now seeing the logs with the ci-MAC format.  

Darren_Matthews
Occasional Visitor

Re: OneView syslog

Finding similar, appreciate the short term workaround but is there a fix going in to make FQDN configurable (or default) for Audit Log Forwarding?  I'm assuming this has been captured and being fed in to the enhancement process?

Thanks

BhaskarV
HPE Pro

Re: OneView syslog

Hi @Darren_Matthews 

The input has been taken.
This issue is being addressed in an upcoming / future patch / release.
Will update this thread once a publicly available release that contains the fix has been announced.

Regards,
Bhaskar


Accept or Kudo