Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

How to set up log-in traps on HP ProCurve switches?

Preston Gallwas
Valued Contributor

How to set up log-in traps on HP ProCurve switches?

Is it possible for one to set a trap alert for a login?

We've got some potential log-in violations, and I'd like to be able to receive an alert (via email in PCM) when someone logs into a switch.

What CLI commands should I look into for this?
16 REPLIES
Jeff Brownell
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

I'm not sure this is possible via snmp(i've never set it up). Another thought wuold be to enable remote syslog logging to a serevr that you can run a script on to monitor these types of syslog messages. I would bet that if you have a linux server on your network that you'd be able to find something off the Net that someone has designed to monitor specific strings in a log file...
Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

Ive gotten the syslog to work with alerts (snmp-server host (server) (snmpcom) all)

however it seems the event stops working when the server has undergone a reboot

grrr
Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

If you are referring to the event that you get on telnet, those can go to the TrapLog as well as the SysLog. I tested it fine on my 2848 as I mentioned in your previous topic you closed.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=947849

You said "All worked", so what happened?

Once you get the event in the TrapLog, setting an alert on it should be straight forward. I don't have 1.6 anymore to test this on.

Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

It does work great -- until the server reboots. The event is still there, but no new events are generated when the trap is received to the eventlog
Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

OK, let's see if I got this straight...

The switch sends the trap every time.
PCM's TrapLog receives the trap every time.
PCM's Alert only fires until you reboot.

Testing in PCM+ 2.0, I get an email whenever I telnet to the switch. Reboot, repeat, another email.

What can I say?
Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

1.6 must be borked on that aspect then...

A PO has apparently been put in for PCM2.0

Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

Preston,
Beware that 2.0 uses telnet for discovery so you would have to try to craft your alerts to ignore the hundreds of events it will surely throw. Not entirely sure how one would craft the alert since there is only a "contains" conditional and no "NOT" to counter it.

If you have some of the older generation switches like the 2524, the event in the traplog is sans IP so you will not be able to discern the origin.

See also http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=950967 for more detail.

You may be better off using another program besides PCM+ for this.

Sorry to be the bearer of bad news. :(
Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

You said you also run HP Systems Insight Manager on another server. I don't know squat about IM but perhaps is there a way to set it up with better rules than PCM to have insight handle the alerts?

I know WhatsUp Pro from Ipswitch can do it.
Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

I can monitor them with insight manager, but i need the login mib and a trap definition in order for it to work.

So it adds a SYSLOG event for TELNET?

GRRRRRRRRR THATS HOW I SET UP MY EVENT

If it contains TELNET generate an alert

DANG IT!

Does it actually LOG IN to the switch..or just banner grab? Because it seems the syslog isnt updated unless it logs in, not just a connection
Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

Well... I could lie to you but you'll only find out the truth anyway. :(

We can at least comiserate :,(

The event in Syslog/TrapLog for the 2524 is as follows:
mgr: SME TELNET Session - MANAGER Mode established

For the 28xx/530x:
mgr: SME TELNET from 10.11.12.13 - MANAGER Mode

As I said, I know not of any way to differentiate the PCM telnet from the intruder telnet using PCM alerts.

I did bring this to the attention of several people on the PCM beta stream and while this was one of the few I at least got a reply on, there was no encouraging news of anything being done about it. If anything is to be done about it, it would have to be done directly in PCM, either by improving the alert filter (rules) or by blocking(filtering out) the event from getting to the SysLog/TrapLog in the first place. I have already submitted suggestions for both.
Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

Thats silly, we need a way to filter an event from logins from the PCM server. I want to know when someone logs in ...bah!
Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

There is no present work-around for the flood of events that pile up in both the syslog and traplog, but if you have any half decent email spam filtering, you could block the ones that have the IP of your PCM.

That won't help with the older generation switches that don't include the IP but you might consider blocking them too since you cannot discern the origin from the alert anyway.
Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

98% of our switches are 2600 series.

Is it possible to have multiple condition alerts in 2.0?

(Sorry, our license hasn't arrived yet heh)


ie

contains "TELNET" and does NOT contain "PCM IP"

?
Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

You could DL 2.0 and try it for 30 days without the license but AFAIK you cannot use those combined conditions. In fact, there is no NOT operator available at all.

The event filters are as follows:
number of events
has severity * AND
contains * AND
has source
. . IP
. . is in group
within a period of (tied to number of events >1)


I was able to filter out the PCM source IP alerts with my email spam filter.
Preston Gallwas
Valued Contributor

Re: How to set up log-in traps on HP ProCurve switches?

So sad, who do we talk to for a feature request...? we just paid $3000 for a downgrade?

Les Ligetfalvy
Esteemed Contributor

Re: How to set up log-in traps on HP ProCurve switches?

You can open an incident with NetHelp and they will assist you to submit an enhancement request or perhaps Jeff may if he drops by for a visit.

A couple of the PCM guys have been seen in the discussion "PCM+ V2.0 Questions/Thoughts"
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=942870

I suspect they do lurk about silently. Just because I'm paranoid doesn't mean they are not watching me.