Re: Help in local-user and iMC....... (1714 Views)
Reply
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 1 of 22 (1,729 Views)

Help in local-user and iMC.......

Hi

we have local user (admin) in the switch 4800G and 2900al I want to see what the configure he change from iMC we have 70 switch I want to see them all in the same time not go to switch's one by one to see the log.

 

and thank you.

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 2 of 22 (1,714 Views)

Re: Help in local-user and iMC.......

If I'm understanding it right, what you want to do is to generate a report that shows you all changes, across all devices (or maybe a group of devices). Is that correct?

 

I don't think that this capability currently exists. It's easy enough to see what's changed on an individual device basis, but it's not so easy to generate a single report showing changes across all devices.

 

I haven't dug into the ProCurve options around logging commands, but you may be able to get the switches to log all executed commands to your syslog server. I know you can do it with IOS, so it should be possible on HP switches. Set the syslog server to be the IMC system, and you'll be able to see the logs.

 

You should also be using centralised AAA, so you can control users, and log all commands. Then set up an alert whenever someone logs in with a local admin account, rather than using AAA.

CCIE 36708 | @northlandboy | lkhill.com
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 3 of 22 (1,710 Views)

Re: Help in local-user and iMC.......

Hi

I think you don't understand me I mean by local user in the switch not a computer user I want to know what the change in group  of (switch's) in configure like vlan , inter disable,...  ,

 

and

 

how can I Set the syslog server to be the IMC system ?

 

I try to use Configuration Templates I add new Template the configure for the Template you can see it in the attachment.

 

Thank you for your help.

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 4 of 22 (1,708 Views)

Re: Help in local-user and iMC.......


MohammadH wrote:

I think you don't understand me I mean by local user in the switch not a computer user I want to know what the change in group  of (switch's) in configure like vlan , inter disable,...  ,


 

I wasn't referring to a computer user - I was referring to users logging into the switches or routers.

 


MohammadH wrote:

how can I Set the syslog server to be the IMC system ?

 

I try to use Configuration Templates I add new Template the configure for the Template you can see it in the attachment.

 

Thank you for your help.



Config to set the syslog destination on a Comware-based switch would look something like:

info-center enable
info-center loghost 10.1.1.200
info-center source default channel loghost log level information
info-center source default channel loghost trap level information
info-center source default channel loghost debug state off
 
In general, if you want to look at logs across a range of devices, you don't log into them all and go "display log" - instead, you configure them to all send syslogs to a central destination, and you search there. Using config templates in IMC is more intended for pushing out configuration changes, rather than looking at logs.

 

 

CCIE 36708 | @northlandboy | lkhill.com
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 5 of 22 (1,706 Views)

Re: Help in local-user and iMC.......

Hi

sorry I misunderstand you

thank you for the configure can I have the configure for 2900 and do I need change any sitting in iMC so he can get the log from the switch ? I want to ask can make the iMC send email if the user change the configure in the switch's ??


and

 

Thank you for your help

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 6 of 22 (1,704 Views)

Re: Help in local-user and iMC.......

On ProCurve, the commands are something like:

logging 10.1.1.100

logging severity info

 

IMC will be set up to receive syslogs by default, BUT you may need to check your firewall on your server, to ensure it allows inbound syslog.

 

Once IMC is receiving syslogs, you should see syslogs at Alarm -> Syslog Management -> Browse Syslog.

 

If the switches are configured to send SNMP traps to the IMC server, and they send SNMP traps for config changes, that will generate alarms, which you can use to send emails. Those will just be generic alerts every time someone enters config mode.

 

If you want more complex alerts, you can configure syslog templates to match specific patterns, configure syslog to alarm escalation, and configure email alerts based on those.

CCIE 36708 | @northlandboy | lkhill.com
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 7 of 22 (1,688 Views)

Re: Help in local-user and iMC.......

Hi

thank you for configure for the ProCurve, are you by (If the switches are configured to send SNMP traps to the IMC server)

you mean the config for the syslogs ?

 

and thank you for your help.

 

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 8 of 22 (1,685 Views)

Re: Help in local-user and iMC.......

No, SNMP traps are configured separately to syslogs. They are different protocols, used for different purposes (although I guess there is some overlap in use/functionality).

You might want to do some reading on SNMP, and traps, and how they work in general. Might make it a bit clearer.
CCIE 36708 | @northlandboy | lkhill.com
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 9 of 22 (1,678 Views)

Re: Help in local-user and iMC.......

Hi

I know what the SNMP traps I want to know how to config the switch and iMC so if someone login to switch or change the config or the login fail or successful the iMC will send Email Notification.

 

I try to do it but No luck...!!

 


and

Thank you for your help.

 

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 10 of 22 (1,674 Views)

Re: Help in local-user and iMC.......


MohammadH wrote:

I want to know how to config the switch and iMC so if someone login to switch or change the config or the login fail or successful the iMC will send Email Notification.

 


OK. Let's start from the top. If you want an email on all logins, and config changes, then let's start by using syslog. 

 

On the switches themselves, when you login and make a change, does it display anything in your syslogs?

 

Deal with that first. You may need to change the configs. I haven't looked into it for Comware/ProCurve, but Cisco switches need configuration to log failed login atempts.

 

Once that's working, make sure that the switches are sending syslogs to the IMC server. 

 

When you've got syslog entries for logins + config changes being sent to the IMC server, and visible in Alarms -> Syslog Management, come back here, and we'll walk through turning those syslog entries into emails.

 

The other thing you should be doing is implementing centralised AAA. This will give you MUCH better visibility and control.

CCIE 36708 | @northlandboy | lkhill.com
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 11 of 22 (1,663 Views)

Re: Help in local-user and iMC.......

Hi

if you mean by implementing centralised AAA the RADIUS server if that so we plan it in the future to install RADIUS server,

 

I finish configure in the switch when I change the config in the switch I can see it in the :

(Alarm -> Syslog Management -> Browse Syslog),

 

so what the next step ?

 

and

thank you for your help.

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 12 of 22 (1,655 Views)

You can use either RADIUS or TACACS (with IMC's TAM if yo...

[ Edited ]
You can use either RADIUS or TACACS (with IMC's TAM if you like) for centralised access control.
 
Now, if we used SNMP traps, we can immediately escalate those to alarms. Since it's syslog, we need to go through another step. Bear with me, and we'll work through it in stages.
 
First you need to define a Syslog Template. This will match specific patterns in the syslog entries. We can later use this template to create alarms. Once we can create alarms, we should be able to turn those into emails. 
 
Go to Alarms -> Syslog Management -> Syslog Templates. Click Add, and give it a name, and Template Content. This is the patterns to match in the syslog entry. Note that you can grab specific parts of the syslog, and assign them to parameters. For now, maybe just keep it simple. If your syslog entry looks something like this: "User admin logged in via console", then you could have a pattern Template Content like: "User $(user) logged in via $(interface)"
 
Click OK to save that.
 
Now go to "Syslog to Alarm". Click Add. Give it a name & Description. Key things to change here are the Alarm Level, and the Repeat interval/repeat time. The default is to only generate an alarm for 50 events in 300s. You probably want 1 event in 1s. Set the severity to whatever you want. 
 
In the "Alarm Description" field, just leave it as %syslog% for now. Later you can change the message if you like, using some of those parameters we got earlier. Select a Syslog Template - use the one you defined earlier. Hit OK on that.
 
Now try triggering some of the events that cause that syslog. See if you can see the entry in "Browse Syslog". Then go and check "Alarm Browse -> Real-Time Alarms", and see if you can see the alarm there.
 
Get that working, then we'll look at generating emails.
 
 
 
 
CCIE 36708 | @northlandboy | lkhill.com
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 13 of 22 (1,650 Views)

Re: lindsayhill

Hi

I want to ask the do I need active directory with TACACS ? If so is there a way to use TACACS  without active directory ???

 

and

 

will the (User $(user) logged in via $(interface)) work with telnet ?? or only the console ?! Because I try it whit telnet but can't see anything in (Alarm Browse -> Real-Time Alarms) ?!

 

I have Filtering Trap will it effect the syslog ? I have attachment you can see the Trap.

 

Thank you for your help.

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 14 of 22 (1,646 Views)

I haven't used TAM, so I can't comment on that. You'd hav...

I haven't used TAM, so I can't comment on that. You'd have to read the docs.

That template example was just a random example - I don't know what your syslogs patterns look like. You need to look at your syslogs, and come up with a pattern that works.
CCIE 36708 | @northlandboy | lkhill.com
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 15 of 22 (1,631 Views)

Re: I haven't used TAM, so I can't comment on that. You'd hav...

Hi

I try to change the template but no lock, the syslogs patterns you can see it in the attachment,

 

and

 

thank you.

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 16 of 22 (1,629 Views)

Re: I haven't used TAM, so I can't comment on that. You'd hav...

So what settings do you have for your syslog template, and your syslog to alarm policies?

Looking at those logs, you could probably also use snmp traps if you wanted.
CCIE 36708 | @northlandboy | lkhill.com
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 17 of 22 (1,622 Views)

Re: I haven't used TAM, so I can't comment on that. You'd hav...

Hi

I look at them and I try different Template Content but no louk I will try again then come back here if it work.

and

Thank you for your help so much.

 

 

 

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 18 of 22 (1,615 Views)

Re: I haven't used TAM, so I can't comment on that. You'd hav...

My advice would be to start simple with your templates. Don't worry about parameters, etc. just yet. Keep it simple, until you know you're matching what you need.

 

e.g. for the Failed Login syslog, I might just look for "h3cLoginAuthenFailure"

 

Make sure that your syslog to alarm template changes the counters too, to alarm for every message, not for the default of 50 messages received in 5 minutes.

CCIE 36708 | @northlandboy | lkhill.com
Honored Contributor
Peter_Debruyne
Posts: 328
Registered: ‎03-21-2011
Message 19 of 22 (1,605 Views)

Re: Help in local-user and iMC.......

Hi,

 

On comware devices (4800), you can enable shell logging to a specific syslog server. This means that all typed commands (as shown in the local log file with display logging) can be sent to an external syslog server.

 

If you do not want these on the default syslog server, you can use a dedicated channel (output channel), disable all other features (default), and enable the SHELL source on this new channel.

Next configure a specific syslog IP for this channel.

 

This would be a sample config:

 

info-center channel 6 name loghostshell
info-center source default channel 6 log state off trap state off
info-center source SHELL channel 6
info-center loghost 192.168.5.42 channel 6

This is not possible on provision devices. For these you need to configure an external radius server for login. The provision switches can use radius accounting to log all operator commands to an external system.

 

I have attached a configuration guide I have made in the past which explains the steps with a microsoft NPS radius server.

 

Hope this helps,

Best regards,Peter.

Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 20 of 22 (1,585 Views)

Re: I haven't used TAM, so I can't comment on that. You'd hav...

Hi

sorry I take long time, I make it work but only send email the first time I login but sometime not send email and same for the command when I input any command it only send the first command then will not send any email so it almost work,

I use more then one templates for login and and logout, for the command change:

for the login:

---------------

<h3cLogIn>: $(UserName) login from VTY

------
$(UserName) logged in from $(Source IP).

------------------------------------------

for the logout:

---------------

<h3cLogOut>: $(UserName) logout from VTY  

------
<h3cLogInAuthenFailure>: $(UserName) failed to login from VTY, reason is 2

------
TELNET user $(UserName) failed to log in from $(Source IP) on VTY0

------
$(UserName) logged out from $(Source IP).

-----------------------------------------------------

for the cammad change:

-------------------------

-Task=vt0-IPAddr=$(Source IP)-User=$(UserName); Command is

or

$(Source IP)-User=$(UserName); Command is

------------------------------------------------------------------------------------

thank you for the guide it really help me , and for the config sample.

----------------------------------------------------------------------

 

thank you for taking your time to help.

 

 

Honored Contributor
LindsayHill
Posts: 742
Registered: ‎11-16-2011
Message 21 of 22 (1,560 Views)

Re: I haven't used TAM, so I can't comment on that. You'd hav...

Check your syslog templates. Check the Repeat Interval, and Repeat Times.

CCIE 36708 | @northlandboy | lkhill.com
Regular Advisor
MohammadH
Posts: 102
Registered: ‎12-13-2011
Message 22 of 22 (1,558 Views)

Re: I haven't used TAM, so I can't comment on that. You'd hav...

[ Edited ]

Hi

OK t check the syslog templates. and the Repeat Interval is 1, and Repeat Times 1

so it work now but some time not working so I will keep the config like this for now.

 

Thank you.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.