Skip to main content

Arista Switch

Modeling & Parsing Rules for Arista EOS Switch Events Logs.

Arista Switch

This pack includes Cortex XSIAM content.

Configuration on Server Side

This section describes the basic mandatory steps you should perform on Arista's switch in order to forward the audited event logs to XSIAM via Syslog.
In addition, you may wish to customize the logging level and logging format of the audited events as described below.

Configure Syslog forwarding

Arista's switch supports forwarding the audited events to a remote Syslog server. This is done via the logging host command.

Follow these steps to configure forwarding of event logs from an Arista switch to an XSIAM Syslog Broker VM via UDP:

  1. Connect to the switch CLI (Command Line Interface).
  2. Type enable (or en) to enter the Privileged EXEC command mode, followed by the password if prompted.
  3. Type configure (or config) to enter the Global Configuration command mode.
  4. Type logging host <IP\> <Port\> where <IP\> and <Port\> are the corresponding IP address and port of the XSIAM Syslog Broker VM.
  5. Type write (or running-config startup-config) to commit the updated configuration settings to the start-up configuration file.
  6. Type exit to exit the Global Configuration command mode and return back to the Privileged EXEC command mode.
  7. Type exit again to terminate the session.

Bellow is an example execution of the commands above:

   switch> enable
   switch# configure
   switch(config)# logging host 514
   switch(config)# write
   switch(config)# exit
   switch# exit


Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to SettingsConfigurationData BrokerBroker VMs.
  2. Go to the apps tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and then click Configure.
  3. Click Add New.
  4. When configuring the Syslog Collector, set the following values:
    | Parameter | Value
    | :--- | :---
    | Protocol | The protocol that was defined in the Syslog configuration on the Arista switch (UDP for the default or Secure TCP for the Syslog with TLS Support configuration.
    | Port | The Syslog service port that was defined in the Syslog configuration on the Arista switch.
    | Vendor | Enter Arista.
    | Product | Enter Switch.




Cortex XSIAM


CertificationRead more
Supported ByCortex
CreatedMay 30, 2023
Last ReleaseJuly 17, 2023

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.