IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

Help in local-user and iMC.......

 
MohammadH
Regular Advisor

Re: Help in local-user and iMC.......

Hi

if you mean by implementing centralised AAA the RADIUS server if that so we plan it in the future to install RADIUS server,

 

I finish configure in the switch when I change the config in the switch I can see it in the :

(Alarm -> Syslog Management -> Browse Syslog),

 

so what the next step ?

 

and

thank you for your help.

Highlighted
LindsayHill
Honored Contributor

You can use either RADIUS or TACACS (with IMC's TAM if yo...

You can use either RADIUS or TACACS (with IMC's TAM if you like) for centralised access control.
 
Now, if we used SNMP traps, we can immediately escalate those to alarms. Since it's syslog, we need to go through another step. Bear with me, and we'll work through it in stages.
 
First you need to define a Syslog Template. This will match specific patterns in the syslog entries. We can later use this template to create alarms. Once we can create alarms, we should be able to turn those into emails. 
 
Go to Alarms -> Syslog Management -> Syslog Templates. Click Add, and give it a name, and Template Content. This is the patterns to match in the syslog entry. Note that you can grab specific parts of the syslog, and assign them to parameters. For now, maybe just keep it simple. If your syslog entry looks something like this: "User admin logged in via console", then you could have a pattern Template Content like: "User $(user) logged in via $(interface)"
 
Click OK to save that.
 
Now go to "Syslog to Alarm". Click Add. Give it a name & Description. Key things to change here are the Alarm Level, and the Repeat interval/repeat time. The default is to only generate an alarm for 50 events in 300s. You probably want 1 event in 1s. Set the severity to whatever you want. 
 
In the "Alarm Description" field, just leave it as %syslog% for now. Later you can change the message if you like, using some of those parameters we got earlier. Select a Syslog Template - use the one you defined earlier. Hit OK on that.
 
Now try triggering some of the events that cause that syslog. See if you can see the entry in "Browse Syslog". Then go and check "Alarm Browse -> Real-Time Alarms", and see if you can see the alarm there.
 
Get that working, then we'll look at generating emails.
 
 
 
 
MohammadH
Regular Advisor

Re: lindsayhill

Hi

I want to ask the do I need active directory with TACACS ? If so is there a way to use TACACS  without active directory ???

 

and

 

will the (User $(user) logged in via $(interface)) work with telnet ?? or only the console ?! Because I try it whit telnet but can't see anything in (Alarm Browse -> Real-Time Alarms) ?!

 

I have Filtering Trap will it effect the syslog ? I have attachment you can see the Trap.

 

Thank you for your help.

LindsayHill
Honored Contributor

I haven't used TAM, so I can't comment on that. You'd hav...

I haven't used TAM, so I can't comment on that. You'd have to read the docs.

That template example was just a random example - I don't know what your syslogs patterns look like. You need to look at your syslogs, and come up with a pattern that works.
MohammadH
Regular Advisor

Re: I haven't used TAM, so I can't comment on that. You'd hav...

Hi

I try to change the template but no lock, the syslogs patterns you can see it in the attachment,

 

and

 

thank you.

LindsayHill
Honored Contributor

Re: I haven't used TAM, so I can't comment on that. You'd hav...

So what settings do you have for your syslog template, and your syslog to alarm policies?

Looking at those logs, you could probably also use snmp traps if you wanted.
MohammadH
Regular Advisor

Re: I haven't used TAM, so I can't comment on that. You'd hav...

Hi

I look at them and I try different Template Content but no louk I will try again then come back here if it work.

and

Thank you for your help so much.

 

 

 

LindsayHill
Honored Contributor

Re: I haven't used TAM, so I can't comment on that. You'd hav...

My advice would be to start simple with your templates. Don't worry about parameters, etc. just yet. Keep it simple, until you know you're matching what you need.

 

e.g. for the Failed Login syslog, I might just look for "h3cLoginAuthenFailure"

 

Make sure that your syslog to alarm template changes the counters too, to alarm for every message, not for the default of 50 messages received in 5 minutes.

Peter_Debruyne
Honored Contributor

Re: Help in local-user and iMC.......

Hi,

 

On comware devices (4800), you can enable shell logging to a specific syslog server. This means that all typed commands (as shown in the local log file with display logging) can be sent to an external syslog server.

 

If you do not want these on the default syslog server, you can use a dedicated channel (output channel), disable all other features (default), and enable the SHELL source on this new channel.

Next configure a specific syslog IP for this channel.

 

This would be a sample config:

 

info-center channel 6 name loghostshell
info-center source default channel 6 log state off trap state off
info-center source SHELL channel 6
info-center loghost 192.168.5.42 channel 6

This is not possible on provision devices. For these you need to configure an external radius server for login. The provision switches can use radius accounting to log all operator commands to an external system.

 

I have attached a configuration guide I have made in the past which explains the steps with a microsoft NPS radius server.

 

Hope this helps,

Best regards,Peter.

MohammadH
Regular Advisor

Re: I haven't used TAM, so I can't comment on that. You'd hav...

Hi

sorry I take long time, I make it work but only send email the first time I login but sometime not send email and same for the command when I input any command it only send the first command then will not send any email so it almost work,

I use more then one templates for login and and logout, for the command change:

for the login:

---------------

<h3cLogIn>: $(UserName) login from VTY

------
$(UserName) logged in from $(Source IP).

------------------------------------------

for the logout:

---------------

<h3cLogOut>: $(UserName) logout from VTY  

------
<h3cLogInAuthenFailure>: $(UserName) failed to login from VTY, reason is 2

------
TELNET user $(UserName) failed to log in from $(Source IP) on VTY0

------
$(UserName) logged out from $(Source IP).

-----------------------------------------------------

for the cammad change:

-------------------------

-Task=vt0-IPAddr=$(Source IP)-User=$(UserName); Command is

or

$(Source IP)-User=$(UserName); Command is

------------------------------------------------------------------------------------

thank you for the guide it really help me , and for the config sample.

----------------------------------------------------------------------

 

thank you for taking your time to help.