HPE Community
HPE OneView
1832278 Members
1830 Online
110041 Solutions
New Discussion

Re: HPE OneView Audit Log events and remote syslog parsing

 
SOLVED
Go to solution
smamm
Occasional Advisor

‎07-07-2023 09:30 AM - last edited on ‎07-07-2023 11:14 AM by

‎07-07-2023 09:30 AM - last edited on ‎07-07-2023 11:14 AM by

HPE OneView Audit Log events and remote syslog parsing

I'm running OneView 8.10 and wanted to see if anyone has come across this same problem related to Audit Log Forwarding and the parsing of events from the remote syslog destination.

I work in an audited and secure environment.  We use remote syslog for a number of platforms, including appliances.  For example, iLOs here are configured to send events to a remote syslog where they are parsed by a security product.   We would like to do the same for HPE OneView, and have already configured the OneView Audit Log to send events to the correct address/port.  After sending test events, I can verify in our firewall logs that they were transmitted to the correct location and via the correct port.  We appear to be having a parsing issue with the security product though, as the OneView events are not being displayed in a monitoring console.

My question is about OneView and audit log *format*, and whether any documentation is available for it.   We've had a similiar problem in the past, when after an iLO firmware update, the remote syslog event formatting changed and a security product was unable to parse events until the updated format was accounted for.  But that was eventually sorted out.  OneView audit log format has proven to be a lingering problem though.  I'm trying to guide my security team to some relevant information on the audit log format, and how to parse the events successfully.

I've been reviewing OneView user guides, but can't locate any audit log information other than how to set it up.  Enabling audit log to a remote address isn't the problem, that's fine.  I'm just trying to find documenation on event format.    Anyone ever run into this problem?  

0 Kudos
Reply
3 REPLIES 3
DanCernese
HPE Pro

‎07-07-2023 09:58 AM

‎07-07-2023 09:58 AM

Re: HPE OneView Audit Log events and remote syslog parsing

In 2021 HPE went through an update to OneView and iLO and some Synergy ICMs to more closely conform to RFC 5424 that defines the fields and formatting.

 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
DanCernese
HPE Pro

‎07-07-2023 10:32 AM

‎07-07-2023 10:32 AM

Solution

Re: HPE OneView Audit Log events and remote syslog parsing

A lot of materials have migrated over time from "documents" into our support center.  Here is audit log formatting:

https://support.hpe.com/hpesc/public/docDisplay?docId=sd00002887en_us&docLocale=en_US&page=GUID-D7147C7F-2016-0901-066E-00000000051B.html

 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
smamm
Occasional Advisor

‎07-07-2023 11:13 AM

‎07-07-2023 11:13 AM

Re: HPE OneView Audit Log events and remote syslog parsing

Thank you Dan - I'll review the article and see if I can get our remote syslog monitoring back on track.

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.