Auditing and logging
ArubaOS-Switch provides both locally stored event and security logs, as well as using the syslog protocol to forward events to a remote server for auditing purposes. Logged events can be filtered by severity level, originating system modules, or using regular expressions to match against message text.
The syslog client is capable of connecting to a server using UDP (default), TCP, or TLS protocols. TLS is the preferred protocol, as it provides an encrypted connection to the syslog receiver. This requires the switch to possess a signed TLS client certificate, and the receiver to possess a signed TLS server certificate. (Self-signed certificates cannot be used for connections to a syslog receiver.)
The process of requesting and installing a signed TLS client certificate for syslog is similar to that for requesting and installing an SSL/TLS certificate for web-management:
switch(config)# crypto pki ta-profile syslogprofile switch(config)# copy sftp ta-certificate syslogprofile sftpuser@10.10.10.1 cacert.pem switch(config)# crypto pki create-csr certificate-name syslogcert ta-profile syslogprofile usage all key-type rsa key-size 2048 -----BEGIN CERTIFICATE REQUEST----- < Certificate request string > -----END CERTIFICATE REQUEST-----
As with the web certificate generation process shown earlier, copy the CSR contents to the CA by copying and pasting, or uploading as a file. Here, the file syslogcert.csr contains the CSR, and the command shown generates a certificate file named syslogcert.pem:
root@localca:~# openssl ca -days 365 -in syslogcert.csr -out syslogcert.pem -cert cacert.pem -keyfile cakey.pem -config /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Aug 21 19:01:53 2018 GMT Not After : Aug 20 19:01:53 2019 GMT Subject: commonName = switch X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: < Subject Key Identifier string > X509v3 Authority Key Identifier: < Authority Key Identifier string > Certificate is to be certified until Aug 20 19:01:53 2019 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Copy the generated certificate file syslogcert.pem to the SFTP root folder, then transfer it to the switch:
switch(config)# copy sftp local-certificate sftpuser@10.10.10.1 syslogcert.pem
Refer to the user documentation for the desired syslog receiver to generate and install the required TLS server certificate.
Once the required certificates are installed, use the following commands to configure the switch to forward all events with a severity of warning or higher to a syslog server at 10.100.1.250 using TLS:
switch(config)# logging 10.100.1.250 tls switch(config)# logging severity warning
For more information, refer to "Debug/syslog operation" in the chapter titled "Troubleshooting" in the ArubaOS-Switch Management and Configuration Guide.