Exceptions for Audit Logging

Use the commands log-audit-exception-create, log-audit-exception-delete, and log-audit-exception-show are used to control which CLI, shell and vtysh commands are subject to auditing.


If Netvisor ONE subjects a command to auditing, Netvisor ONE logs the command in the audit log and sends it to the TACACS+ server as authorization and accounting messages.


CLI (network-admin@Spine1) > log-audit-exception-create

 

Create an audit logging exception.

cli|shell|vtysh

Specify the type of audit exception.

pattern pattern-string

Specify a regular expression to match exceptions.

any|read-only|read-write

Specify the access type to match exceptions.

scope local|fabric

Specify the scope of exceptions.

 

CLI (network-admin@Spine1) > log-audit-exception-delete

 

 

Delete an audit logging exception.

cli|shell|vtysh

Specify the type of audit exception.

pattern pattern-string

Specify a regular expression to match exceptions.

any|read-only|read-write

Specify the access type to match exceptions.

 

CLI (network-admin@Spine1) > log-audit-exception-show

 

 

Display audit logging exceptions.

cli|shell|vtysh

Display the type of audit exception.

pattern pattern-string

Display a regular expression to match exceptions.

any|read-only|read-write

Display the access type to match exceptions.

scope local|fabric

Display the scope of exceptions.

 

By default, Netvisor ONE audits every command except for read-only CLI commands and ^/usr/bin/nvmore which is the pager for the Netvisor ONE CLI:

 

CLI (network-admin@switch) > log-audit-exception-show

 

switch type  pattern          access    scope

------ ----- ---------------- --------- -----

switch cli                    read-only local

switch shell ^/usr/bin/nvmore any       local

 

To enable auditing of ALL CLI commands, you can delete the cli/read-only exception:

 

CLI (network-admin@switch) > log-audit-exception-delete cli read-only

 

Modifying User Roles


You can add privileges to a user by adding new parameters available for roles. To add shell access to a user’s role, use the following syntax:


CLI (network-admin@switch) > role-create


name name-string

Specify a name for the user role.

scope local|fabric

Specify a scope for the user role.

One or more of the following options:

access read-only|read-write

Specify the type of access for the user role. The default is read-write.

running-config|no-running-config   

Specify if the user role allows access to the switch running configuration.

shell|no-shell

Specify if the user role allows access to the shell.

sudo|no-sudo

Specify if the user role allows the sudo command.

 

The new parameters are also available for the role-modify command.