HP 8/8 Fabric OS Administrator's Guide v6.4.0 (53-1001763-01, June 2010) - Page 101
Configuring an audit log for specific event classes, event class operands are identified
View all HP 8/8 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 101 highlights
Audit log configuration 3 1. Set up an external host machine with a system message log daemon running to receive the audit events that will be generated. 2. On the switch where the audit configuration is enabled, enter the syslogdIpAdd command to add the IP address of the host machine so that it can receive the audit events. You can use IPv4, IPv6, or DNS names for the syslogdIpAdd command. 3. Ensure the network is configured with a network connection between the switch and the remote host. 4. Check the host SYSLOG configuration. If all error levels are not configured, you may not see some of the audit messages. Configuring an audit log for specific event classes 1. Connect to the switch from which you want to generate an audit log and log in using an account assigned to the admin role. 2. Enter the auditCfg --class command, which defines the specific event classes to be filtered. switch:admin> auditcfg --class 2,4 Audit filter is configured. The auditCfg event class operands are identified in Table 7 on page 60. 3. Enter the auditCfg --enable command, which enables audit event logging based on the classes configured in step 2. switch:admin> auditcfg --enable Audit filter is enabled. To disable an audit event configuration, enter the auditCfg --disable command. 4. Enter the auditCfg --show command to view the filter configuration and confirm that the correct event classes are being audited, and the correct filter state appears (enabled or disabled). switch:admin> auditcfg --show Audit filter is enabled. 2-SECURITY 4-FIRMWARE 5. Verify the audit event log setup by making a change affecting an enabled event class and confirming that the remote host machine receives the audit event messages. Example of the SYSLOG (system message log) output for audit logging Oct 10 08:52:06 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:20:19 (GMT), [SEC-3020], INFO, SECURITY, admin/admin/10.3.220.13/telnet/CLI, ad_0/ras007/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 10.3.220.13. Oct 10 08:52:23 10.3.220.7 raslogd: 2008/10/10-08:20:36, [CONF-1001], 13, WWN 10:00:00:05:1e:34:02:0c | FID 128, INFO, ras007, configUpload completed successfully. All config parameters are uploaded. Oct 10 09:00:04 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:28:16 (GMT), [SEC-3021], INFO, SECURITY, admin/NONE/10.3.220.13/None/CLI, None/ras007/FID 128, , Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP Addr: 10.3.220.13. Fabric OS Administrator's Guide 61 53-1001763-01