Configuring Audit Logging


Audit logging includes messages for user login or logout, authorization and denial of sessions or commands by TACACS+ server, audit drops, and commands run internally or by the user, among others. To view audit log Information, enter the following command:


CLI (network-admin@Leaf1) > log-audit-show

log-audit-show

Display audit log information.

Specify up to two options from the following:


start-time date/time: yyyy-mm-ddThh:mm:ss

Specify the start time for the log file.

end-time date/time: yyyy-mm-ddThh:mm:ss

Specify the end time for the log file.

duration duration: #d#h#m#s

Specify the duration of the log file.

Specify any of the following parameters to view the information related to those parameters:

program program-string

Specify the program that generates log messages.

pid pid-number

Specify the product ID generating the log messages.

name name-string

Specify the message name.

code code-number

Specify the message code.

level critical|error|warn|note|info

Specify the severity level of audit log messages.

vnet vnet-name

Specify the associated VNET.

remote_switch node name

Specify the name of the remote switch.

client-pid client-pid-number

Specify the client product ID.

client-addr ip-address

Specify the client IP address.

port port-number

Specify the port number.

vlan vlan-id

Specify the VLAN ID as a value between 2 and 4092.

bd bridge-domain name

Specify the bridge domain.

vxlan vxlan-id

Specify the VXLAN ID.

count number 1..50000

Specify the number of events to be displayed in a range from 1 to 50000.

starting-point starting-point-number

Specify the starting point of the log audit.

length length-number

Specify the length of the log audit.

reverse|no-reverse

Use this option to enable or disable displaying the messages in reverse order.

 

For example:

CLI (network-admin@leaf1) > log-audit-show count 2 layout vertical

category:         audit

time:             2020-07-29,07:21:09.297988-07:00

name:             login

code:             11099

level:            info

user:             network-admin

client-addr:      10.140.0.158

message:          login

category:         audit

time:             2020-07-29,07:21:25.593283-07:00

name:             user_command

code:             11001

level:            info

user:             network-admin

client-addr:      10.140.0.158

message:          Command "vflow-delete name span1" result success


Exceptions for Audit Logging


When NetVisor OS supports a command for auditing, the command is added to the audit log and sent to the TACACS+ server as authorization and accounting messages.The commands log-audit-exception-create, log-audit-exception-delete, and log-audit-exception-show are used to control which CLI, shell, and vtysh commands are audited.


CLI (network-admin@Spine1) > log-audit-exception-create

 

log-audit-exception-create

Create an audit logging exception.

cli|shell|vtysh

Specify the type of audit exception.

pattern pattern-string

Specify a regular expression to match exceptions.

any|read-only|read-write

Specify the access type to match exceptions.

scope local|fabric

Specify the scope of exceptions.

 

CLI (network-admin@Spine1) > log-audit-exception-delete

 

log-audit-exception-delete

Delete an audit logging exception.

cli|shell|vtysh

Specify the type of audit exception.

pattern pattern-string

Specify a regular expression to match exceptions.

any|read-only|read-write

Specify the access type to match exceptions.

 

CLI (network-admin@Spine1) > log-audit-exception-show

 

log-audit-exception-show

Display audit logging exceptions.

cli|shell|vtysh

Display the type of audit exception.

pattern pattern-string

Display a regular expression to match exceptions.

any|read-only|read-write

Display the access type to match exceptions.

scope local|fabric

Display the scope of exceptions.

 

By default, NetVisor OS audits every command except for read-only CLI commands and  shell commands with ^/usr/bin/nvmore pattern which is the pager for NetVisor OS CLI:

 

CLI (network-admin@switch) > log-audit-exception-show

 

switch type  pattern          access    scope

------ ----- ---------------- --------- -----

switch cli                    read-only local

switch shell ^/usr/bin/nvmore any       local

 

To enable auditing of all CLI commands, you can delete the cli/read-only exception:

 

CLI (network-admin@switch) > log-audit-exception-delete cli read-only

 

Modifying User Roles


You can impart privileges to a user through the role-create command. To add shell access to a user’s role, use the following syntax:


CLI (network-admin@switch) > role-create name role1 scope local shell


role-create

Create a user role.

name name-string

Specify a name for the user role.

scope local|fabric

Specify a scope for the user role.

Specify one or more of the following options:

access read-only|read-write

Specify the type of access for the user role. The default is read-write.

running-config|no-running-config   

Specify if the user role allows access to the switch running configuration.

shell|no-shell

Specify if the user role allows access to the shell.

sudo|no-sudo

Specify if the user role allows the sudo command.

 

The role-modify command can be used to modify a user role configuration.


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south