Was this helpful?
Exceptions for Audit Logging
Use the commands log-audit-exception-create, log-audit-exception-delete, and log-audit-exception-show to control which CLI, shell and vtysh commands subjected to auditing. If Netvisor ONE subjects a command to auditing, Netvisor ONE logs the command in the audit log and sends it to the TACACS+ server as authorization and accounting messages.
CLI network-admin@switch > CLI network-admin@Spine1>log-audit-exception-create
 
Create an audit logging exception.
cli|shell|vtysh
Specify the type of audit exception.
pattern pattern-string
Specify a regular expression to match exceptions.
any|read-only|read-write
Specify the access type to match exceptions.
scope local|fabric
Specify the scope of exceptions.
CLI network-admin@switch > CLI network-admin@Spine1>log-audit-exception-delete
 
Delete an audit logging exception.
cli|shell|vtysh
Specify the type of audit exception.
pattern pattern-string
Specify a regular expression to match exceptions.
any|read-only|read-write
Specify the access type to match exceptions.
CLI network-admin@switch > CLI network-admin@Spine1>log-audit-exception-show
 
Display audit logging exceptions.
cli|shell|vtysh
Display the type of audit exception.
pattern pattern-string
Display a regular expression to match exceptions.
any|read-only|read-write
Display the access type to match exceptions.
scope local|fabric
Display the scope of exceptions.
By default, Netvisor ONE audits every command except for read-only CLI commands and ^/usr/bin/nvmore which is the pager for the Netvisor ONE CLI:
CLI (network-admin@switch) > log-audit-exception-show
switch type pattern access scope
------ ----- ---------------- --------- -----
switch cli read-only local
switch shell ^/usr/bin/nvmore any local
 
To enable auditing of ALL CLI commands, you can delete the cli/read-only exception:
CLI network-admin@switch > CLI (network-admin@switch) > log-audit-exception-delete cli read-only
Modifying User Roles
You can add privileges to a user by adding new parameters available for roles. To add shell access to a user’s role, use the following syntax:
CLI network-admin@switch > CLI (network-admin@switch) >role-create
name name-string
Specify a name for the user role.
scope local|fabric
Specify a scope for the user role.
One or more of the following options:
access read-only|read-write
Specify the type of access for the user role. The default is read-write.
running-config|no-running-config
Specify if the user role allows access to the switch running configuration.
shell|no-shell
Specify if the user role allows access to the shell.
sudo|no-sudo
Specify if the user role allows the sudo command.
 
The new parameters are also available for the role-modify command.