×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Syslog all commands

Unanswered Question
Aug 3rd, 2007
User Badges:

Is there a way in a 3560, 3750 switch and 3845, and 2811 router to tell it to send all config commands someone is typing on the router to a syslog server? Is this only available in TACACS+?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Richard Burts Fri, 08/03/2007 - 11:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Joseph


Edison is right that the traditional solution for this was AAA accounting. Cisco has introduced a new feature which gives you the ability to track config changes to syslog rather than using aaa accounting. This link provides information about this new capability:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080454f73.html


I have not yet tested it but it sounds exactly like what you want.


HTH


Rick

Edison Ortiz Fri, 08/03/2007 - 11:20
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Rick,


Somehow that feature escaped and I've used it many times in different implementations. That's definitely the solution the OP is after. I'm rating your post accordingly.


Richard Burts Fri, 08/03/2007 - 11:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Edison


I am glad that you are familiar with this. It sounds very good but I have not yet had occasion to use it.


Thanks for the rating.


HTH


Rick

jkjackson Fri, 08/03/2007 - 11:34
User Badges:

I am trying to configure this, however it does not seem to be sending the messages to the syslog server. Can you post me the relevant part of a working config? Thanks,

Edison Ortiz Fri, 08/03/2007 - 11:45
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Can you post your config and we go from there ?


Did you also configure a line like:


logging [syslog server IP]


?

jkjackson Fri, 08/03/2007 - 11:48
User Badges:

archive

log config

logging enable

logging size 200

notify syslog contenttype plaintext

hidekeys


no logging trap

logging (server IP)



Edison Ortiz Fri, 08/03/2007 - 11:50
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

enable logging trap

jkjackson Fri, 08/03/2007 - 11:55
User Badges:

That worked, Great! But are there any way to log any command sent to the IOS and not just config changes?

Edison Ortiz Fri, 08/03/2007 - 12:06
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Sorry, that's when you need AAA.


If you have a RADIUS server, you can configure accounting by pointing to that server. No need to purchase a TACACS+ server.

jkjackson Fri, 08/03/2007 - 12:10
User Badges:

But where does it store the messages? I do have AAA configured via MS IAS, works great. I looked over the document you linked in the first reply and it didn't seem say where it logged the messages.

Edison Ortiz Fri, 08/03/2007 - 12:23
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Let's see what you have configured thus far regarding AAA.


Please include the radius information as well.


Are you authenticating and receiving authorization via RADIUS ?

jkjackson Fri, 08/03/2007 - 12:25
User Badges:

Yes, and offcourse it loggs a Windows Event log each time you log in. Is this the same way it will log the accounting events?

jkjackson Fri, 08/03/2007 - 12:27
User Badges:

here is my AAA config


aaa new-model

!

!

aaa group server radius srv006

server xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646

!

aaa authentication login default group (groupname) local

aaa authentication login console line

aaa authorization exec default group (groupname) if-authenticated

aaa session-id common


radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646

radius-server deadtime 1

radius-server key (rad key)

radius-server vsa send authentication


Richard Burts Fri, 08/03/2007 - 12:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Joseph


You have AAA configured for authentication and authorization but not for accounting. Add this to your config:

aaa accounting cpmmands 15 default start-stop group (groupname)

This should get you all the privilege level commands that are entered.


HTH


Rick

jkjackson Fri, 08/03/2007 - 12:37
User Badges:

Rick,

That is fine and dandy. What i don't understand is where does it log the messages on the AAA server? What i am trying to obtain is everytime some one does something on a network device i see it on my monitoring system monitor automatically, in a syslog type format.

Richard Burts Fri, 08/03/2007 - 12:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Joseph


My experience with AAA accounting is with an ACS server. In the ACS server there is a report heading where the accounting records are displayed. Assuming that your Radius server is not an ACS server I am not sure where the accounting records are logged.


HTH


Rick

jkjackson Fri, 08/03/2007 - 13:09
User Badges:

Yeah, well i will work with what y'all have given me and see what i can come up with. I will rate the post accordingly Monday. Thank both of you for your enduring help!

royalblues Fri, 08/03/2007 - 12:36
User Badges:
  • Green, 3000 points or more

add these accounting commands as well and check


aaa accounting exec default start-stop group radius

aaa accounting commands 1 default start-stop group radius

aaa accounting commands 15 default start-stop group radius


HTH

Narayan

atif-siddiqui Fri, 08/03/2007 - 18:54
User Badges:

this does not work for RADUIS, but yet we have the command avaliable; msg shows that it can only be for TACACS. how can we get it.


PE2(config)#aaa accounting commands 15 default start-stop group TESTR

PE2(config)#

10w1d: %AAAA-4-SERVNOTACPLUS: The server-group "TESTR" is not a tacacs+ server group. Please define "TESTR" as a tacacs+ server group.

PE2(config)#


Also Cisco Documnetation:


http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacct.html#wp6192


Cisco's implementation of RADIUS does not support command accounting.


how can we do that?? any ideas.

Edison Ortiz Sat, 08/04/2007 - 05:17
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Try without using the group name and please enter the commands as Narayan illustrated.


The link you posted is from 11.3 IOS release. That's very old information and it's no longer true.


Please follow the link I posted at the beginning of this thread.


It has the most recent information regarding AAA Accounting configuration.


BTW, What IOS release are you running ?

Actions

This Discussion