Return to
Portfolio

63. HP ProCurve

HP ProCurve switches are capable of sending their logs to a remote Syslog destination via UDP or TCP. When sending logs over the network it is recommended to use TCP as the more reliable protocol. With UDP there is a potential to lose entries, especially when there is a high volume of messages. It is also possible to send logs via TLS if additional security is required.

ProCurve Log Sample
I 03/17/17 18:06:15 ports: port B3 is Blocked by STP
I 03/17/17 18:06:15 ports: port B3 is now on-line
I 03/17/17 18:24:57 SNTP: updated time by -4 seconds
I 03/17/17 21:03:04 ports: port B3 is now off-line
I 03/18/17 02:00:53 SNTP: updated time by -4 seconds
I 03/18/17 09:36:49 SNTP: updated time by -4 seconds
I 03/18/17 17:00:45 SNTP: updated time by -4 seconds
I 03/18/17 23:34:25 mgr: SME TELNET from 192.168.9.78 - MANAGER Mode

The HP ProCurve web interface does not provide a way to configure an external Syslog server, so this must be done via the command line (see the following sections). For more details on configuring logging for HP ProCurve switches, refer to the HP ProCurve Management and Configuration Guide available from HP Enterprise Support. The actual document depends on the model and firmware version in use.

Warning
In case of multiple switches running in redundancy mode (such as VRRP or similar), each device must be configured separately as failover happens per VLAN and logging configuration is not synchronized.
Note
The steps below have been tested with HP 4000 series switches but should also work for 2000, 6000, and 8000 series devices.
  1. Configure NXLog to receive log entries over the network and process them as Syslog (see Accepting Syslog via UDP, TCP, or TLS and the TCP example below). Then restart NXLog.

  2. Make sure the NXLog agent is accessible from the switch.

  3. Connect to the switch via SSH or Telnet.

  4. Run the following commands to configure Syslog logging. Replace LEVEL with the logging level (debug, major, error, warning, or info). Replace FACILITY with the Syslog facility to be used for the logs. Replace IP_ADDRESS with the address of the NXLog agent; PROTOCOL with udp, tcp, or tls; and PORT with the required port. If PORT is omitted, the default will be used (514 for UDP, 1470 for TCP, or 6514 for TLS).

    # configure
    (config)# logging severity LEVEL
    (config)# logging facility FACILITY
    (config)# logging IP_ADDRESS PROTOCOL PORT
    (config)# write memory
    Example 270. Configuring Syslog Forwarding via TCP

    The following commands configure the switch to send logs to 192.168.6.143 via the default TCP port. Only logs with info severity level and higher will be sent, and the local5 Syslog facility will be used.

    # configure
    (config)# logging severity info
    (config)# logging facility local5
    (config)# logging 192.168.6.143 tcp
    (config)# write memory
Example 271. Receiving ProCurve Logs via TCP

This example shows HP ProCurve logs as received and processed by NXLog.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _json>
    Module  xm_json
</Extension>

<Input in_syslog_tcp>
    Module  im_tcp
    Host    0.0.0.0
    Port    1470
    Exec    parse_syslog();
</Input>

<Output file>
    Module  om_file
    File    "/var/log/hp.log"
    Exec    to_json();
</Output>

Events like those at the beginning of the chapter will result in the following output.

Output Sample
{
  "MessageSourceAddress": "192.168.10.3",
  "EventReceivedTime": "2017-03-18 19:32:02",
  "SourceModuleName": "in_syslog_udp",
  "SourceModuleType": "im_udp",
  "SyslogFacilityValue": 21,
  "SyslogFacility": "LOCAL5",
  "SyslogSeverityValue": 6,
  "SyslogSeverity": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Hostname": "192.168.10.3",
  "EventTime": "2017-03-19 00:27:27",
  "SourceName": "mgr",
  "Message": " SME TELNET from 192.168.9.78 - MANAGER Mode"
}