Switches, Hubs, and Modems
1748180 Members
3879 Online
108759 Solutions
New Discussion юеВ

Re: How to set up log-in traps on HP ProCurve switches?

 
Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

Well... I could lie to you but you'll only find out the truth anyway. :(

We can at least comiserate :,(

The event in Syslog/TrapLog for the 2524 is as follows:
mgr: SME TELNET Session - MANAGER Mode established

For the 28xx/530x:
mgr: SME TELNET from 10.11.12.13 - MANAGER Mode

As I said, I know not of any way to differentiate the PCM telnet from the intruder telnet using PCM alerts.

I did bring this to the attention of several people on the PCM beta stream and while this was one of the few I at least got a reply on, there was no encouraging news of anything being done about it. If anything is to be done about it, it would have to be done directly in PCM, either by improving the alert filter (rules) or by blocking(filtering out) the event from getting to the SysLog/TrapLog in the first place. I have already submitted suggestions for both.
Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

Thats silly, we need a way to filter an event from logins from the PCM server. I want to know when someone logs in ...bah!
Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

There is no present work-around for the flood of events that pile up in both the syslog and traplog, but if you have any half decent email spam filtering, you could block the ones that have the IP of your PCM.

That won't help with the older generation switches that don't include the IP but you might consider blocking them too since you cannot discern the origin from the alert anyway.
Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

98% of our switches are 2600 series.

Is it possible to have multiple condition alerts in 2.0?

(Sorry, our license hasn't arrived yet heh)


ie

contains "TELNET" and does NOT contain "PCM IP"

?
Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

You could DL 2.0 and try it for 30 days without the license but AFAIK you cannot use those combined conditions. In fact, there is no NOT operator available at all.

The event filters are as follows:
number of events
has severity * AND
contains * AND
has source
. . IP
. . is in group
within a period of (tied to number of events >1)


I was able to filter out the PCM source IP alerts with my email spam filter.
Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

So sad, who do we talk to for a feature request...? we just paid $3000 for a downgrade?

Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

You can open an incident with NetHelp and they will assist you to submit an enhancement request or perhaps Jeff may if he drops by for a visit.

A couple of the PCM guys have been seen in the discussion "PCM+ V2.0 Questions/Thoughts"
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=942870

I suspect they do lurk about silently. Just because I'm paranoid doesn't mean they are not watching me.