Auditing and logging - server

Information

ArubaOS-Switch provides both locally stored event and security logs, as well as using the syslog protocol to forward events to a remote server for auditing purposes. Logged events can be filtered by severity level, originating system modules, or using regular expressions to match against message text.

The syslog client is capable of connecting to a server using UDP (default), TCP, or TLS protocols. TLS is the preferred protocol, as it provides an encrypted connection to the syslog receiver. This requires the switch to possess a signed TLS client certificate, and the receiver to possess a signed TLS server certificate. (Self-signed certificates cannot be used for connections to a syslog receiver.)

Solution

Refer to the user documentation for the desired syslog receiver to generate and install the required TLS server certificate.

Once the required certificates are installed, use the following commands to configure the switch to forward all events with a severity of warning or higher to a syslog server at 10.100.1.250 using TLS:

switch(config)# logging 10.100.1.250 tls
switch(config)# logging severity warning

See Also

https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1)

Plugin: ArubaOS

Control ID: d2eaefcdbfecf1840bca714f4b9f914fe003b8560330c118928aebebc2059333