• Using AAA to log all commands from users on Arista EOS

 
 
Print Friendly, PDF & Email

Introduction

Some users of Arista Networks EOS may want to log all commands executed on a switch. This article explains how to use AAA without TACACS or RADIUS to provide accounting of all commands to the system log. The log can then be sent off to a syslog server or even sent to Splunk using the Arista EOS splunk extension.

For more information about the Splunk app for Arista EOS click here.

Setup

First, it is important to create a user account for each switch administrator. Without a separate account for each administrator it will be impossible to retain accurate accounting of which commands were entered by each user. In this simple case we will create users Josh and Alexis and set their password to “foo”. You can also implement an RBAC scheme to enable just the right amount of access to each user.

Switch(config)# username josh privilege 15 secret 0 foo
Switch(config)# username alexis privilege 15 secret 0 foo

The following commands will enable logging of all commands and authorization from remote sessions as well as sessions attached through the console. The ‘start-stop’ command will provide a notice in the log when a process starts as well as when it stops. Use ‘stop-only’ if you only want to log when a process completes successfully. The ‘logging’ command at the end tells EOS to send the accounting messages to the system log. Other options include, ‘group radius’ and ‘group tacacs+’ for example. See the manual for a full explanation of AAA options.

Switch(config)# aaa accounting commands all console start-stop logging
Switch(config)# aaa accounting commands all default start-stop logging
Switch(config)# aaa accounting exec console start-stop logging
Switch(config)# aaa accounting exec default start-stop logging
Switch(config)# copy running-config startup-config

Now, we can log in as Josh and execute a few commands.

macbookpro-arista:~ chines$ ssh josh@Switch
Password:
Switch> en
Switch# conf t
Switch(config)# int et6-8
Switch(config-if-Et6-8)# mtu 1500
Switch(config-if-Et6-8)# mtu 9000
Switch(config-if-Et6-8)# show user-account
user: admin
       role: network-admin
       privilege level: 1
user: alexis
       role: 
       privilege level: 15
user: chines
       role: network-admin
       privilege level: 15
user: josh
       role: 
       privilege level: 15

To be sure, we will log in as Alexis and issue a few more commands.

macbookpro-arista:~ chines$ ssh alexis@Switch
Password:
Last login: Wed Dec 31 09:05:17 2014 from macbookpro-arista.local
Switch> en
Switch# conf t
Switch(config)# ip name-server 8.8.8.8
Switch(config)# int et6
Switch(config-if-Et6)# no switchport
Switch(config-if-Et6)# ip address 10.0.200.1/24

Ok, now that we have a lot of commands executed by two different users, let’s see what the logs show:

Dec 31 09:02:21 Switch Aaa: %ACCOUNTING-5-EXEC: Switch josh ssh macbookpro-arista.local start task_id=11 start_time=1420038141 timezone=CST service=shell
Dec 31 09:02:24 Switch Aaa: %ACCOUNTING-6-CMD: Switch josh ssh macbookpro-arista.local stop task_id=12 start_time=1420038144.96 timezone=CST service=shell priv-lvl=1 cmd=enable 
Dec 31 09:02:27 Switch Aaa: %ACCOUNTING-6-CMD: Switch josh ssh macbookpro-arista.local stop task_id=13 start_time=1420038147.49 timezone=CST service=shell priv-lvl=15 cmd=configure terminal 
Dec 31 09:02:27 Switch Cli: %SYS-5-CONFIG_E: Enter configuration mode from console by josh on vty5 (10.0.2.100)
Dec 31 09:02:33 Switch Aaa: %ACCOUNTING-6-CMD: Switch josh ssh macbookpro-arista.local stop task_id=14 start_time=1420038153.49 timezone=CST service=shell priv-lvl=15 cmd=interface Et6-8
Dec 31 09:02:38 Switch Aaa: %ACCOUNTING-6-CMD: Switch josh ssh macbookpro-arista.local stop task_id=15 start_time=1420038158.49 timezone=CST service=shell priv-lvl=15 cmd=mtu 1500 
Dec 31 09:02:41 Switch Aaa: %ACCOUNTING-6-CMD: Switch josh ssh macbookpro-arista.local stop task_id=16 start_time=1420038161.3 timezone=CST service=shell priv-lvl=15 cmd=mtu 9000 
ta.local stop task_id=17 start_time=1420038172.6 timezone=CST service=shell priv-lvl=15 cmd=show user-account 
Dec 31 09:05:09 Switch Aaa: %ACCOUNTING-6-CMD: Switch josh ssh macbookpro-arista.local stop task_id=18 start_time=1420038309.23 timezone=CST service=shell priv-lvl=15 cmd=exit 
Dec 31 09:05:10 Switch Aaa: %ACCOUNTING-6-CMD: Switch josh ssh macbookpro-arista.local stop task_id=19 start_time=1420038310.29 timezone=CST service=shell priv-lvl=15 cmd=exit 
Dec 31 09:05:10 Switch Cli: %SYS-5-CONFIG_I: Configured from console by josh on vty5 (10.0.2.100)
Dec 31 09:05:11 Switch Aaa: %ACCOUNTING-6-CMD: Switch josh ssh macbookpro-arista.local stop task_id=20 start_time=1420038311.33 timezone=CST service=shell priv-lvl=15 cmd=exit 
Dec 31 09:05:11 Switch Aaa: %ACCOUNTING-5-EXEC: Switch josh ssh macbookpro-arista.local stop task_id=11 start_time=1420038141 timezone=CST service=shell elapsed_time=169.562068102
Dec 31 09:05:26 Switch Aaa: %ACCOUNTING-5-EXEC: Switch alexis ssh macbookpro-arista.local stop task_id=21 start_time=1420038317 timezone=CST service=shell elapsed_time=9.10798826
Dec 31 09:05:29 Switch Aaa: %ACCOUNTING-5-EXEC: Switch alexis ssh macbookpro-arista.local start task_id=26 start_time=1420038329 timezone=CST service=shell
Dec 31 09:05:31 Switch Aaa: %ACCOUNTING-6-CMD: Switch alexis ssh macbookpro-arista.local stop task_id=27 start_time=1420038331.6 timezone=CST service=shell priv-lvl=1 cmd=enable 
Dec 31 09:05:33 Switch Aaa: %ACCOUNTING-6-CMD: Switch alexis ssh macbookpro-arista.local stop task_id=28 start_time=1420038333.22 timezone=CST service=shell priv-lvl=15 cmd=configure terminal 
Dec 31 09:05:33 Switch Cli: %SYS-5-CONFIG_E: Enter configuration mode from console by alexis on vty5 (10.0.2.100)
ista.local stop task_id=29 start_time=1420038345.33 timezone=CST service=shell priv-lvl=15 cmd=ip name-server 8.8.8.8 
Dec 31 09:05:47 Switch Aaa: %ACCOUNTING-6-CMD: Switch alexis ssh macbookpro-arista.local stop task_id=30 start_time=1420038347.49 timezone=CST service=shell priv-lvl=15 cmd=interface Et6 
Dec 31 09:05:53 Switch Aaa: %ACCOUNTING-6-CMD: Switch alexis ssh macbookpro-arista.local stop task_id=31 start_time=1420038353.69 timezone=CST service=shell priv-lvl=15 cmd=no switchport 
Dec 31 09:06:00 Switch Aaa: %ACCOUNTING-6-CMD: Switch alexis ssh macbookpro-arista.local stop task_id=32 start_time=1420038360.89 timezone=CST service=shell priv-lvl=15 cmd=ip address 10.0.200.1/24

Reference

Please see chapter 4 of the Arista Networks EOS manual for more information on the full AAA feature set including the use of roles to enable granular control of authorization within your environment. You can also enable RADIUS or TACACS to provide centralized authentication and integration with existing access control systems in your environment.

Summary

As you can see it is very simple to set up basic accounting on an Arista switch running EOS. Be sure to setup a Syslog service or another method of writing the logs to an external device or to a local SSD on the switch. The logs will roll over fairly quickly and are volatile to a reload. Care must be taken to ensure logging to a protected destination is achieved, especially if the goal is to meet compliance requirements and/or company policies regarding accounting and records retention.

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: