Cloud Managed Networks

Hi all,

We're evaluating Central for AOS-CX wired network management and I'd like to better understand how change auditing works.

At the moment, I don't see the ability to export audit trail logs for configurations made in Central, I'm hoping I've overlooked something as this seems to be a fairly important detail to be missing.  Especially since audit logs are purged after 90 days.

I'm trying to understand how I will correlate configuration changes from different users in Central against changes on switches.

Am I correct in my understanding:

• All changes from Central are made by the admin user; this username cannot be changed.
  
  • Changes are not directly written to the switch as commands, a new config is uploaded to the switch and a checkpoint is created.
  • Checkpoints are named according to the date an time the change was made by Central.  This can be matched by the timestamp (not exactly) to the Audit Trail in central

Currently we have command logging configured with ClearPass and TACACS+ on our network and it works extremely well, I understand TACACS+ is considered legacy, but in terms of auditing configuration changes it provides far greater capabilities than Central.  IMHO, the capabilities in Central are a  significant jump in the wrong direction, particularly in the name of Security.

I'm hoping I'm wrong and I've missed something, but at a minimum I'd expect the ability to export these audit logs into our SIEM for local auditing and analysis, a 90-day lifecycle isn't enough.

Have I missed anything? 

Thanks,
Victor

P.S. I was looking at the Central API to see if it exposed the audit trail, unfortunately it does not.

------------------------------
Victor Castro
------------------------------

I may have answered my own question... it appears as though the Central provides a Streaming API...  https://developer.arubanetworks.com/aruba-central/docs/streaming-api-getting-started

I'll have to dig in to see how we can use this.  If anyone has experience with it, it'd appreciate some insight.

Thanks!

------------------------------
Victor Castro
------------------------------

Original Message:
Sent: Nov 24, 2021 02:44 PM
From: Victor Castro
Subject: Central Audit Trail and Configuration User

Hi all,

We're evaluating Central for AOS-CX wired network management and I'd like to better understand how change auditing works.

At the moment, I don't see the ability to export audit trail logs for configurations made in Central, I'm hoping I've overlooked something as this seems to be a fairly important detail to be missing.  Especially since audit logs are purged after 90 days.

I'm trying to understand how I will correlate configuration changes from different users in Central against changes on switches.

Am I correct in my understanding:

• All changes from Central are made by the admin user; this username cannot be changed.
  
  • Changes are not directly written to the switch as commands, a new config is uploaded to the switch and a checkpoint is created.
  • Checkpoints are named according to the date an time the change was made by Central.  This can be matched by the timestamp (not exactly) to the Audit Trail in central

Currently we have command logging configured with ClearPass and TACACS+ on our network and it works extremely well, I understand TACACS+ is considered legacy, but in terms of auditing configuration changes it provides far greater capabilities than Central.  IMHO, the capabilities in Central are a  significant jump in the wrong direction, particularly in the name of Security.

I'm hoping I'm wrong and I've missed something, but at a minimum I'd expect the ability to export these audit logs into our SIEM for local auditing and analysis, a 90-day lifecycle isn't enough.

Have I missed anything? 

Thanks,
Victor

P.S. I was looking at the Central API to see if it exposed the audit trail, unfortunately it does not.

------------------------------
Victor Castro
------------------------------

Check out the new DevHub
https://devhub.arubanetworks.com/home

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Nov 24, 2021 03:06 PM
From: Victor Castro
Subject: Central Audit Trail and Configuration User

I may have answered my own question... it appears as though the Central provides a Streaming API...  https://developer.arubanetworks.com/aruba-central/docs/streaming-api-getting-started

I'll have to dig in to see how we can use this.  If anyone has experience with it, it'd appreciate some insight.

Thanks!

------------------------------
Victor Castro

Original Message:
Sent: Nov 24, 2021 02:44 PM
From: Victor Castro
Subject: Central Audit Trail and Configuration User

Hi all,

We're evaluating Central for AOS-CX wired network management and I'd like to better understand how change auditing works.

At the moment, I don't see the ability to export audit trail logs for configurations made in Central, I'm hoping I've overlooked something as this seems to be a fairly important detail to be missing.  Especially since audit logs are purged after 90 days.

I'm trying to understand how I will correlate configuration changes from different users in Central against changes on switches.

Am I correct in my understanding:

• All changes from Central are made by the admin user; this username cannot be changed.
  
  • Changes are not directly written to the switch as commands, a new config is uploaded to the switch and a checkpoint is created.
  • Checkpoints are named according to the date an time the change was made by Central.  This can be matched by the timestamp (not exactly) to the Audit Trail in central

Currently we have command logging configured with ClearPass and TACACS+ on our network and it works extremely well, I understand TACACS+ is considered legacy, but in terms of auditing configuration changes it provides far greater capabilities than Central.  IMHO, the capabilities in Central are a  significant jump in the wrong direction, particularly in the name of Security.

I'm hoping I'm wrong and I've missed something, but at a minimum I'd expect the ability to export these audit logs into our SIEM for local auditing and analysis, a 90-day lifecycle isn't enough.

Have I missed anything? 

Thanks,
Victor

P.S. I was looking at the Central API to see if it exposed the audit trail, unfortunately it does not.

------------------------------
Victor Castro
------------------------------

From the looks of it, devhub appears to be a nice frontend UI centralizing code and snippets that has been on available on GitHub or Aruba documentation for years.

Is there something in particular you are pointing me to that relates to my question?

------------------------------
Victor Castro
------------------------------

Original Message:
Sent: Mar 14, 2022 05:53 PM
From: Ariya Parsamanesh
Subject: Central Audit Trail and Configuration User

Check out the new DevHub
https://devhub.arubanetworks.com/home

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Nov 24, 2021 03:06 PM
From: Victor Castro
Subject: Central Audit Trail and Configuration User

I may have answered my own question... it appears as though the Central provides a Streaming API...  https://developer.arubanetworks.com/aruba-central/docs/streaming-api-getting-started

I'll have to dig in to see how we can use this.  If anyone has experience with it, it'd appreciate some insight.

Thanks!

------------------------------
Victor Castro

Original Message:
Sent: Nov 24, 2021 02:44 PM
From: Victor Castro
Subject: Central Audit Trail and Configuration User

Hi all,

We're evaluating Central for AOS-CX wired network management and I'd like to better understand how change auditing works.

At the moment, I don't see the ability to export audit trail logs for configurations made in Central, I'm hoping I've overlooked something as this seems to be a fairly important detail to be missing.  Especially since audit logs are purged after 90 days.

I'm trying to understand how I will correlate configuration changes from different users in Central against changes on switches.

Am I correct in my understanding:

• All changes from Central are made by the admin user; this username cannot be changed.
  
  • Changes are not directly written to the switch as commands, a new config is uploaded to the switch and a checkpoint is created.
  • Checkpoints are named according to the date an time the change was made by Central.  This can be matched by the timestamp (not exactly) to the Audit Trail in central

Currently we have command logging configured with ClearPass and TACACS+ on our network and it works extremely well, I understand TACACS+ is considered legacy, but in terms of auditing configuration changes it provides far greater capabilities than Central.  IMHO, the capabilities in Central are a  significant jump in the wrong direction, particularly in the name of Security.

I'm hoping I'm wrong and I've missed something, but at a minimum I'd expect the ability to export these audit logs into our SIEM for local auditing and analysis, a 90-day lifecycle isn't enough.

Have I missed anything? 

Thanks,
Victor

P.S. I was looking at the Central API to see if it exposed the audit trail, unfortunately it does not.

------------------------------
Victor Castro
------------------------------