This pack includes Cortex XSIAM content.
Configuration on Server Side
This section describes the basic mandatory steps you should perform on Arista's switch in order to forward the audited event logs to XSIAM via Syslog.
In addition, you may wish to customize the logging level and logging format of the audited events as described below.
Configure Syslog forwarding
Arista's switch supports forwarding the audited events to a remote Syslog server. This is done via the logging host command.
Follow these steps to configure forwarding of event logs from an Arista switch to an XSIAM Syslog Broker VM via UDP:
- Connect to the switch CLI (Command Line Interface).
- Type enable (or en) to enter the Privileged EXEC command mode, followed by the password if prompted.
- Type configure (or config) to enter the Global Configuration command mode.
- Type logging host <IP\> <Port\> where <IP\> and <Port\> are the corresponding IP address and port of the XSIAM Syslog Broker VM.
- Type write (or running-config startup-config) to commit the updated configuration settings to the start-up configuration file.
- Type exit to exit the Global Configuration command mode and return back to the Privileged EXEC command mode.
- Type exit again to terminate the session.
Bellow is an example execution of the commands above:
switch> enable Password: switch# configure switch(config)# logging host 192.168.0.10 514 switch(config)# write switch(config)# exit switch# exit
By default, the logging host command described above configures the Syslog forwarding over UDP. If you wish to forward the event logs via a secure channel over TCP, refer to the documentation in the following links:
You may wish to customize the logging level to filter events from a certain level and/or facility. See Understanding Logging Levels for additional details.
By default, the timestamps in the generated event logs are specified in the traditional RFC3164 syslog format, which does not include a year and a timezone. It is recommended you override this default setting and configure the switch to forward the Syslog messages in RFC5424 format, which specifies a high-resolution RFC3339 timestamp which does include a year and a timezone. This configuration could be done from the Global Configuration command mode via the logging format command. See Syslog Logging Format for additional details.
The configuration described above was brief and basic. For the full documentation, be sure to see the latest Arista Configuration Guide for your switch version. In addition, you may find the following links useful:
- EOS Logging Explained.
- Understanding Logging Levels.
- Logging - Basic Syslog and Beyond.
- System and Process Logging.
- Reacting to syslog-triggered events.
- Syslog message generation on MAC table changes.
- Using AAA to log all commands from users on Arista EOS.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings → Configuration → Data Broker → Broker VMs.
- Go to the apps tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and then click Configure.
- Click Add New.
- When configuring the Syslog Collector, set the following values:
| Parameter | Value
| :--- | :---
Protocol| The protocol that was defined in the Syslog configuration on the Arista switch (UDP for the default or Secure TCP for the Syslog with TLS Support configuration.
Port| The Syslog service port that was defined in the Syslog configuration on the Arista switch.
Vendor| Enter Arista.
Product| Enter Switch.