Manage audit log forwarding

Audit log forwarding enables HPE OneView to forward audit logs to remote Security Information and Event Management (SIEM) systems. Such systems enable centralized audit compliance, monitoring, log analysis, and controlled retention policies.

The forwarding protocol used is the standard UDP-based syslog protocol described in RFC5424 and RFC5426. The syslog protocol is supported by all common syslog servers such as rsyslog, syslog-ng and SIEM products.

As audit log entries are forwarded over UDP, the entries are not encrypted and delivery is not guaranteed. Even when you have HPE OneView and all managed devices on a dedicated, isolated management LAN, forwarding audit log entries to external systems can pose a security risk. In an environment where encryption is required, use the REST API /rest/audit-logs to schedule a job to download the appliance audit logs. See the HPE OneView API Reference for more information.

  • Privileges: Infrastructure administrator.

  • Ensure that any firewalls between HPE OneView and the remote syslog server allow UDP traffic. The default UDP port used is 514.

  1. From the main menu, select Settings > Security.
  2. Click the Edit icon in the Security panel or select Actions > Edit.
  3. On the Edit Security screen, under Audit Log, enable Audit log forwarding.

    Audit log forwarding is disabled by default.

  4. To add a destination system, click Add destination.
  5. In the Add Destination page, provide the following details:
    1. Fully Qualified Domain Name (FQDN) or IP address (IPv4 or IPv6) of the destination system.
    2. The port that the SIEM server is listening on. Default port: 514.
  6. Click Add. To add more destination systems, click Add+. You can configure a maximum of three forwarding destinations.
  7. Click OK.

    The configured forwarding destinations are displayed in the Actions > Audit Log pane.

  8. Click Send test log entry.
  9. Verify that the test entry is successfully forwarded to the destination SIEM server logs.