command logging

Unanswered Question
Jul 2nd, 2007

is there a way to have a switch send a copy of the commands enterned into it, to a syslog server or in ACS. i want to have a logg of what commands where entered a switch and by who. i have LMS 2.6 and ACS 3.3.... any ideas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

with ACS 3.3 (got some serious bugs, you might want to conside upgrading to 4.1.3 build 12 patch 2) and LMS 2.6 you've got a good set of things to work with. Just enable TACACS+ in your AAA configuration for authorization, authentication and accounting and that information is automatically populated in the TACACS+ log file. Source, device, whom, when .. its all there.

If you supply a model of switch we can give you a sample for your configuration.

Rodney-roberts Mon, 07/02/2007 - 13:42

I have acs sending me when a person logs in with there username, I also have rme sending me a email when the config is changed. but where do I get the exact commands they entered, I'm looking for something like the show history output. I need a email kicked off. a trap sent to my mars.

Hmm your asking a bit much for ACS to do all of that, you'll need a third party app to parse your logs. I can recomend AAA-Reports! with the automation module (free demo) to provide some of the functionality you listed. I use it for reporting on some 5,500 devices.

The log you're loooking for is under Reports and Activity, TACACS+ Administration which lists (when you enable the fields) :

Date Time User-Name Group-Name cmd priv-lvl service NAS-Portname task_id NAS-IP-Address reason Caller-Id Acct-Flags Acct-Method Acct-Type Acct-Service

You can simple sort the output in excel (tm)by the user name field to get a per user listing of all the commands they entered.

Rodney-roberts Tue, 07/03/2007 - 04:52

thanks for the recomendation, i'll take a look at that app. i think i have a problem with my tacas+ accounting. i'm told thats where the command by command loggs are kept.

The tacacs+ accounting log only contains the start and stop messages for TACACS+ sessions... for a complete picture you need to correlate both logs for a picture of when a session started fromt the accounting log, what commands were issued from the administration log, and when the session concluded from the accounting log.

Rodney-roberts Tue, 07/03/2007 - 07:37

i checked the application out, and it looks to do the same thing as my mars box does.

any suggestions on how i can get a command by command logg, even if its outside of ACS ?

Richard Burts Thu, 07/05/2007 - 12:30


If the switch is configured correctly then there should be entries in the ACS administrative logs showing the commands. I am not clear from your post whether this is working, but assume that it is not. This makes me assume that either your switch is not configured correctly or that your ACS is not doing the administrative logs correctly. Can you post the configuration of the switch?



Rodney-roberts Thu, 07/05/2007 - 12:42

i have the problem resolved, i ended up being a combination of two things, i needed to have the TACACS+ Administration logging enabled in the correct way, and reported to my MARS box to send me the emails, thank you all for your help


This Discussion