cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1326
Views
0
Helpful
8
Replies

command logging

Rodney-roberts
Level 1
Level 1

is there a way to have a switch send a copy of the commands enterned into it, to a syslog server or in ACS. i want to have a logg of what commands where entered a switch and by who. i have LMS 2.6 and ACS 3.3.... any ideas

8 Replies 8

akemp
Level 5
Level 5

with ACS 3.3 (got some serious bugs, you might want to conside upgrading to 4.1.3 build 12 patch 2) and LMS 2.6 you've got a good set of things to work with. Just enable TACACS+ in your AAA configuration for authorization, authentication and accounting and that information is automatically populated in the TACACS+ log file. Source, device, whom, when .. its all there.

If you supply a model of switch we can give you a sample for your configuration.

I have acs sending me when a person logs in with there username, I also have rme sending me a email when the config is changed. but where do I get the exact commands they entered, I'm looking for something like the show history output. I need a email kicked off. a trap sent to my mars.

Hmm your asking a bit much for ACS to do all of that, you'll need a third party app to parse your logs. I can recomend AAA-Reports! with the automation module (free demo) to provide some of the functionality you listed. I use it for reporting on some 5,500 devices.

The log you're loooking for is under Reports and Activity, TACACS+ Administration which lists (when you enable the fields) :

Date Time User-Name Group-Name cmd priv-lvl service NAS-Portname task_id NAS-IP-Address reason Caller-Id Acct-Flags Acct-Method Acct-Type Acct-Service

You can simple sort the output in excel (tm)by the user name field to get a per user listing of all the commands they entered.

thanks for the recomendation, i'll take a look at that app. i think i have a problem with my tacas+ accounting. i'm told thats where the command by command loggs are kept.

The tacacs+ accounting log only contains the start and stop messages for TACACS+ sessions... for a complete picture you need to correlate both logs for a picture of when a session started fromt the accounting log, what commands were issued from the administration log, and when the session concluded from the accounting log.

i checked the application out, and it looks to do the same thing as my mars box does.

any suggestions on how i can get a command by command logg, even if its outside of ACS ?

Rodney

If the switch is configured correctly then there should be entries in the ACS administrative logs showing the commands. I am not clear from your post whether this is working, but assume that it is not. This makes me assume that either your switch is not configured correctly or that your ACS is not doing the administrative logs correctly. Can you post the configuration of the switch?

HTH

Rick

HTH

Rick

i have the problem resolved, i ended up being a combination of two things, i needed to have the TACACS+ Administration logging enabled in the correct way, and reported to my MARS box to send me the emails, thank you all for your help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: