Syslog all commands

Unanswered Question
Aug 3rd, 2007

Is there a way in a 3560, 3750 switch and 3845, and 2811 router to tell it to send all config commands someone is typing on the router to a syslog server? Is this only available in TACACS+?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Richard Burts Fri, 08/03/2007 - 11:12

Joseph

Edison is right that the traditional solution for this was AAA accounting. Cisco has introduced a new feature which gives you the ability to track config changes to syslog rather than using aaa accounting. This link provides information about this new capability:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080454f73.html

I have not yet tested it but it sounds exactly like what you want.

HTH

Rick

Edison Ortiz Fri, 08/03/2007 - 11:20

Rick,

Somehow that feature escaped and I've used it many times in different implementations. That's definitely the solution the OP is after. I'm rating your post accordingly.

Richard Burts Fri, 08/03/2007 - 11:31

Edison

I am glad that you are familiar with this. It sounds very good but I have not yet had occasion to use it.

Thanks for the rating.

HTH

Rick

jkjackson Fri, 08/03/2007 - 11:34

I am trying to configure this, however it does not seem to be sending the messages to the syslog server. Can you post me the relevant part of a working config? Thanks,

Edison Ortiz Fri, 08/03/2007 - 11:45

Can you post your config and we go from there ?

Did you also configure a line like:

logging [syslog server IP]

?

jkjackson Fri, 08/03/2007 - 11:48

archive

log config

logging enable

logging size 200

notify syslog contenttype plaintext

hidekeys

no logging trap

logging (server IP)

jkjackson Fri, 08/03/2007 - 11:55

That worked, Great! But are there any way to log any command sent to the IOS and not just config changes?

Edison Ortiz Fri, 08/03/2007 - 12:06

Sorry, that's when you need AAA.

If you have a RADIUS server, you can configure accounting by pointing to that server. No need to purchase a TACACS+ server.

jkjackson Fri, 08/03/2007 - 12:10

But where does it store the messages? I do have AAA configured via MS IAS, works great. I looked over the document you linked in the first reply and it didn't seem say where it logged the messages.

Edison Ortiz Fri, 08/03/2007 - 12:23

Let's see what you have configured thus far regarding AAA.

Please include the radius information as well.

Are you authenticating and receiving authorization via RADIUS ?

jkjackson Fri, 08/03/2007 - 12:25

Yes, and offcourse it loggs a Windows Event log each time you log in. Is this the same way it will log the accounting events?

jkjackson Fri, 08/03/2007 - 12:27

here is my AAA config

aaa new-model

!

!

aaa group server radius srv006

server xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646

!

aaa authentication login default group (groupname) local

aaa authentication login console line

aaa authorization exec default group (groupname) if-authenticated

aaa session-id common

radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646

radius-server deadtime 1

radius-server key (rad key)

radius-server vsa send authentication

Richard Burts Fri, 08/03/2007 - 12:32

Joseph

You have AAA configured for authentication and authorization but not for accounting. Add this to your config:

aaa accounting cpmmands 15 default start-stop group (groupname)

This should get you all the privilege level commands that are entered.

HTH

Rick

jkjackson Fri, 08/03/2007 - 12:37

Rick,

That is fine and dandy. What i don't understand is where does it log the messages on the AAA server? What i am trying to obtain is everytime some one does something on a network device i see it on my monitoring system monitor automatically, in a syslog type format.

Richard Burts Fri, 08/03/2007 - 12:57

Joseph

My experience with AAA accounting is with an ACS server. In the ACS server there is a report heading where the accounting records are displayed. Assuming that your Radius server is not an ACS server I am not sure where the accounting records are logged.

HTH

Rick

jkjackson Fri, 08/03/2007 - 13:09

Yeah, well i will work with what y'all have given me and see what i can come up with. I will rate the post accordingly Monday. Thank both of you for your enduring help!

royalblues Fri, 08/03/2007 - 12:36

add these accounting commands as well and check

aaa accounting exec default start-stop group radius

aaa accounting commands 1 default start-stop group radius

aaa accounting commands 15 default start-stop group radius

HTH

Narayan

atif-siddiqui Fri, 08/03/2007 - 18:54

this does not work for RADUIS, but yet we have the command avaliable; msg shows that it can only be for TACACS. how can we get it.

PE2(config)#aaa accounting commands 15 default start-stop group TESTR

PE2(config)#

10w1d: %AAAA-4-SERVNOTACPLUS: The server-group "TESTR" is not a tacacs+ server group. Please define "TESTR" as a tacacs+ server group.

PE2(config)#

Also Cisco Documnetation:

http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacct.html#wp6192

Cisco's implementation of RADIUS does not support command accounting.

how can we do that?? any ideas.

Edison Ortiz Sat, 08/04/2007 - 05:17

Try without using the group name and please enter the commands as Narayan illustrated.

The link you posted is from 11.3 IOS release. That's very old information and it's no longer true.

Please follow the link I posted at the beginning of this thread.

It has the most recent information regarding AAA Accounting configuration.

BTW, What IOS release are you running ?

Actions

This Discussion