63. HP ProCurve
HP ProCurve switches are capable of sending their logs to a remote Syslog destination via UDP or TCP. When sending logs over the network it is recommended to use TCP as the more reliable protocol. With UDP there is a potential to lose entries, especially when there is a high volume of messages. It is also possible to send logs via TLS if additional security is required.
I 03/17/17 18:06:15 ports: port B3 is Blocked by STP
I 03/17/17 18:06:15 ports: port B3 is now on-line
I 03/17/17 18:24:57 SNTP: updated time by -4 seconds
I 03/17/17 21:03:04 ports: port B3 is now off-line
I 03/18/17 02:00:53 SNTP: updated time by -4 seconds
I 03/18/17 09:36:49 SNTP: updated time by -4 seconds
I 03/18/17 17:00:45 SNTP: updated time by -4 seconds
I 03/18/17 23:34:25 mgr: SME TELNET from 192.168.9.78 - MANAGER Mode
The HP ProCurve web interface does not provide a way to configure an external Syslog server, so this must be done via the command line (see the following sections). For more details on configuring logging for HP ProCurve switches, refer to the HP ProCurve Management and Configuration Guide available from HP Enterprise Support. The actual document depends on the model and firmware version in use.
Warning
|
In case of multiple switches running in redundancy mode (such as VRRP or similar), each device must be configured separately as failover happens per VLAN and logging configuration is not synchronized. |
Note
|
The steps below have been tested with HP 4000 series switches but should also work for 2000, 6000, and 8000 series devices. |
-
Configure NXLog to receive log entries over the network and process them as Syslog (see Accepting Syslog via UDP, TCP, or TLS and the TCP example below). Then restart NXLog.
-
Make sure the NXLog agent is accessible from the switch.
-
Connect to the switch via SSH or Telnet.
-
Run the following commands to configure Syslog logging. Replace
LEVEL
with the logging level (debug
,major
,error
,warning
, orinfo
). ReplaceFACILITY
with the Syslog facility to be used for the logs. ReplaceIP_ADDRESS
with the address of the NXLog agent;PROTOCOL
withudp
,tcp
, ortls
; andPORT
with the required port. IfPORT
is omitted, the default will be used (514 for UDP, 1470 for TCP, or 6514 for TLS).# configure (config)# logging severity LEVEL (config)# logging facility FACILITY (config)# logging IP_ADDRESS PROTOCOL PORT (config)# write memory
Example 270. Configuring Syslog Forwarding via TCPThe following commands configure the switch to send logs to 192.168.6.143 via the default TCP port. Only logs with
info
severity level and higher will be sent, and thelocal5
Syslog facility will be used.# configure (config)# logging severity info (config)# logging facility local5 (config)# logging 192.168.6.143 tcp (config)# write memory
This example shows HP ProCurve logs as received and processed by NXLog.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in_syslog_tcp>
Module im_tcp
Host 0.0.0.0
Port 1470
Exec parse_syslog();
</Input>
<Output file>
Module om_file
File "/var/log/hp.log"
Exec to_json();
</Output>
Events like those at the beginning of the chapter will result in the following output.
{
"MessageSourceAddress": "192.168.10.3",
"EventReceivedTime": "2017-03-18 19:32:02",
"SourceModuleName": "in_syslog_udp",
"SourceModuleType": "im_udp",
"SyslogFacilityValue": 21,
"SyslogFacility": "LOCAL5",
"SyslogSeverityValue": 6,
"SyslogSeverity": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"Hostname": "192.168.10.3",
"EventTime": "2017-03-19 00:27:27",
"SourceName": "mgr",
"Message": " SME TELNET from 192.168.9.78 - MANAGER Mode"
}