Configuring Audit Logging
Audit logging includes messages for user login or logout, authorization and denial of sessions or commands by TACACS+ server, audit drops, and commands run internally or by the user, among others. To view audit log Information, enter the following command:
CLI (network-admin@Leaf1) > log-audit-show
|
log-audit-show |
Display audit log information. |
|
Specify up to two options from the following: |
|
|
start-time date/time: yyyy-mm-ddThh:mm:ss |
Specify the start time for the log file. |
|
end-time date/time: yyyy-mm-ddThh:mm:ss |
Specify the end time for the log file. |
|
duration duration: #d#h#m#s |
Specify the duration of the log file. |
|
Specify any of the following parameters to view the information related to those parameters: |
|
|
program program-string |
Specify the program that generates log messages. |
|
pid pid-number |
Specify the product ID generating the log messages. |
|
name name-string |
Specify the message name. |
|
code code-number |
Specify the message code. |
|
level critical|error|warn|note|info |
Specify the severity level of audit log messages. |
|
vnet vnet-name |
Specify the associated VNET. |
|
remote_switch node name |
Specify the name of the remote switch. |
|
client-pid client-pid-number |
Specify the client product ID. |
|
client-addr ip-address |
Specify the client IP address. |
|
port port-number |
Specify the port number. |
|
vlan vlan-id |
Specify the VLAN ID as a value between 2 and 4092. |
|
bd bridge-domain name |
Specify the bridge domain. |
|
vxlan vxlan-id |
Specify the VXLAN ID. |
|
count number 1..50000 |
Specify the number of events to be displayed in a range from 1 to 50000. |
|
starting-point starting-point-number |
Specify the starting point of the log audit. |
|
length length-number |
Specify the length of the log audit. |
|
reverse|no-reverse |
Use this option to enable or disable displaying the messages in reverse order. |
For example:
CLI (network-admin@leaf1) > log-audit-show count 2 layout vertical
category: audit
time: 2020-07-29,07:21:09.297988-07:00
name: login
code: 11099
level: info
user: network-admin
client-addr: 10.140.0.158
message: login
category: audit
time: 2020-07-29,07:21:25.593283-07:00
name: user_command
code: 11001
level: info
user: network-admin
client-addr: 10.140.0.158
message: Command "vflow-delete name span1" result success
Exceptions for Audit Logging
When Netvisor ONE supports a command for auditing, the command is added to the audit log and sent to the TACACS+ server as authorization and accounting messages.The commands log-audit-exception-create, log-audit-exception-delete, and log-audit-exception-show are used to control which CLI, shell, and vtysh commands are audited.
CLI (network-admin@Spine1) > log-audit-exception-create
|
log-audit-exception-create |
Create an audit logging exception. |
|
cli|shell|vtysh |
Specify the type of audit exception. |
|
pattern pattern-string |
Specify a regular expression to match exceptions. |
|
any|read-only|read-write |
Specify the access type to match exceptions. |
|
scope local|fabric |
Specify the scope of exceptions. |
CLI (network-admin@Spine1) > log-audit-exception-delete
|
log-audit-exception-delete |
Delete an audit logging exception. |
|
cli|shell|vtysh |
Specify the type of audit exception. |
|
pattern pattern-string |
Specify a regular expression to match exceptions. |
|
any|read-only|read-write |
Specify the access type to match exceptions. |
CLI (network-admin@Spine1) > log-audit-exception-show
|
log-audit-exception-show |
Display audit logging exceptions. |
|
cli|shell|vtysh |
Display the type of audit exception. |
|
pattern pattern-string |
Display a regular expression to match exceptions. |
|
any|read-only|read-write |
Display the access type to match exceptions. |
|
scope local|fabric |
Display the scope of exceptions. |
By default, Netvisor ONE audits every command except for read-only CLI commands and shell commands with ^/usr/bin/nvmore pattern which is the pager for Netvisor ONE CLI:
CLI (network-admin@switch) > log-audit-exception-show
switch type pattern access scope
------ ----- ---------------- --------- -----
switch cli read-only local
switch shell ^/usr/bin/nvmore any local
To enable auditing of all CLI commands, you can delete the cli/read-only exception:
CLI (network-admin@switch) > log-audit-exception-delete cli read-only
Modifying User Roles
You can impart privileges to a user through the role-create command. To add shell access to a user’s role, use the following syntax:
CLI (network-admin@switch) > role-create name role1 scope local shell
|
role-create |
Create a user role. |
|
name name-string |
Specify a name for the user role. |
|
scope local|fabric |
Specify a scope for the user role. |
|
Specify one or more of the following options: |
|
|
access read-only|read-write |
Specify the type of access for the user role. The default is read-write. |
|
running-config|no-running-config |
Specify if the user role allows access to the switch running configuration. |
|
shell|no-shell |
Specify if the user role allows access to the shell. |
|
sudo|no-sudo |
Specify if the user role allows the sudo command. |
The role-modify command can be used to modify a user role configuration.