cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
361
Views
0
Helpful
5
Replies

Logging on a router

tung
Level 1
Level 1

Hello,

I have a problem when an admin logged in to a router it doesn't show when that person logged in. It only show when he do a change on a router and do wr memory. Here is config I have. Please help. Thanks

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

logging buffered 4096 debugging

logging console informational

logging monitor informational

logging facility local6

logging source-interface FastEthernet0/0

logging 10.17.84.7

5 Replies 5

pmccubbin
Level 5
Level 5

I've only seen what you are asking for when an authentication server such as a TACACS server was being used.

The config you have shown the forum will only display in the config when a change is made on the router and/or when a config is saved to memory.

Hope this helps.

Can that be configure on a cisco router or it a seprate server on a nother machine? Thanks

wiluszm
Level 1
Level 1

This is what you're looking for:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_login.htm

This will log a syslog event anytime an admin user attempts login via vty or console. We use it on all of our devices and it works great. There is an example of this on my blog below and integrating it with CS-MARS.

HTH

-Mike

http://cs-mars.blogspot.com

daviddtran
Level 1
Level 1

you need AAA accounting for this. Here is how:

aaa new-model

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec TAC start-stop group tacacs+

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 TAC start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 TAC start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 10 TAC start-stop group tacacs+

aaa accounting commands 15 TAC start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection TAC start-stop group tacacs+

aaa session-id common

line vty 0 15

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

login authentication VTY

You can see everything what the user is doing via tacacs accounting log

I'm not sure which version IOS you are running but 12.3(4) and up have config change logging and notification built-in already. You would just have to enable that feature.

To enable this just enter:

Config Mode

logging enable

archive

log config

hidekeys (hides passwords)

notify syslog

With this you can base alerts off what is sent to the syslog server.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: