02-02-2007 10:54 AM - edited 03-09-2019 05:20 PM
Hello,
I have a problem when an admin logged in to a router it doesn't show when that person logged in. It only show when he do a change on a router and do wr memory. Here is config I have. Please help. Thanks
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
logging buffered 4096 debugging
logging console informational
logging monitor informational
logging facility local6
logging source-interface FastEthernet0/0
logging 10.17.84.7
02-02-2007 12:02 PM
I've only seen what you are asking for when an authentication server such as a TACACS server was being used.
The config you have shown the forum will only display in the config when a change is made on the router and/or when a config is saved to memory.
Hope this helps.
02-02-2007 01:57 PM
Can that be configure on a cisco router or it a seprate server on a nother machine? Thanks
02-03-2007 10:49 AM
This is what you're looking for:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_login.htm
This will log a syslog event anytime an admin user attempts login via vty or console. We use it on all of our devices and it works great. There is an example of this on my blog below and integrating it with CS-MARS.
HTH
-Mike
02-04-2007 11:16 AM
you need AAA accounting for this. Here is how:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection TAC start-stop group tacacs+
aaa session-id common
line vty 0 15
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
You can see everything what the user is doing via tacacs accounting log
02-18-2007 07:41 PM
I'm not sure which version IOS you are running but 12.3(4) and up have config change logging and notification built-in already. You would just have to enable that feature.
To enable this just enter:
Config Mode
logging enable
archive
log config
hidekeys (hides passwords)
notify syslog
With this you can base alerts off what is sent to the syslog server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide