ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

SYSLOG configuration

Summerfest
Occasional Visitor

SYSLOG configuration

Hello,

I have a number of different models of switches and would like to standardize the configuration for syslog output on them.

Does any know of a good resource for syslog facilities and severities that I might be able to reference related to HP /  Aruba switches?

I'm specifically looking to get loggoing outpout to show who changed VLANs on a particiular port.

I have a syslog server running and my configs currently contain the following information:

logging [SYSLOG SERVER IP ADDRESS]
logging system-module ip
logging notify running-config-change

 

I see entries similar to the following when I make a change to a ports VLAN configuration through the Menu in the CLI

The top line tells me that my username '[MY USERNAME REMOVED]' initiated a Running Config Change but not what it was and it does show my originating IP Address "[MY IP REMOVED]"

And the next 5 lines tell me nothing besides Username "Unknown" made a change and that the remote IP Address is 0.0.0.0

I would like to know who made this change and what the affected ports are.

Any assitance wold be extremely helpful!

* Begin Output *

Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='196',Config-Method='MENU',Device-Name='TEST-SWITCH',User-Name='[MY USERNAME REMOVED]',Remote-IP-Address="[MY IP REMOVED]"
 Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='197',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
 Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='198',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
 Jan 17 20:27:41 [SWITCH SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='199',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
 Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='200',Config-Method='INTERNAL',Device-Name='TEST-SWITCH',User-Name='Unknown',Remote-IP-Address='0.0.0.0'
 Jan 17 20:27:41 [SWITCH IP REMOVED] notice: Notice-Type='Running Config Change',Event-ID='201',Config-Method='INTERNAL',Device-Name='100-TEST-SWITCH-100',User-Name='Unknown',Remote-IP-Address='0.0.0.0'

1 REPLY
Michael Patmon
Trusted Contributor

Re: SYSLOG configuration

"Notify running-config-change" only tells you that the config was changed and not how.  I think you might want command accouting.  It'll give you logging info like this:

Feb 23 19:58:01 128.44.0.2 acct: Acct-Session-ID='0x08A6000000FB',Acct-Status-Type='Stop',NAS-Identifier='patmon-core-sws',User-Name='mpatmon',Acct-Authentic='',Calling-Station-Id='128.44.120.99',HP-Command-String='vlan 15 untagged 19'

You can send that to Radius, Tacacs, or syslog:

(config)# aaa accounting commands stop-only
 radius                Use RADIUS for accounting.
 syslog                Use syslog for accounting.
 tacacs                Use TACACS+ for accounting.

As for the 0.0.0.0 typically that means the change happened on the serial console session, so there is no IP to log.  Also, I do not believe accounting will log commands executed within the menu.

For more info on command accountting check the "Access Security Guide" for you product.  I could not a good reference for syslog, I will look into that.