log

Unanswered Question
May 6th, 2008
User Badges:

on a router what specific command that i can see the activities (e.g. config changes, parameter , etc.) that a user did on the device? Also, if a user just log on user mode will the device still log his/her activities?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
korbenda11as Tue, 05/06/2008 - 21:53
User Badges:

Thanks, is show log alone can trace what are the activities a user did on a device? what happened is that my colleagues saying that I did a save command on a router which honestly didnt do. I look at the router's log using sh log command but didnt find anything. I just want to know how he were able to say that i do save command that equals to a change.

JORGE RODRIGUEZ Wed, 05/07/2008 - 12:42
User Badges:
  • Green, 3000 points or more

Oliver, bellow is an example of what is recorded in router, any command entered that have changed or altered the router's configuiration is saved in archive in router if you choose to do so when configuring this feature , configuration entered in router is also relay to my syslog server, since I am the only network person I do not need ACS nor local AAA , so this is why in the output bellow you see user "unknown" .


in config mode you simply need the bellow statements.


archive

log config

logging enable

logging size 50

notify syslog

hidekeys


you may also do a question mark to see other sub-commands features


Router(config)#Archive

Router(config-archive)# ?


you may want to also add in config mode:

login on-failure log

login on-success log




.May 4 20:32:06 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable

.May 4 20:37:02 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable

.May 4 20:38:09 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:ip route 10.1.253.21 255.255.255.255

6x.xx.xx.117 name DR_TEMP_LB0_IP

.May 4 20:38:12 UTC: %SYS-5-CONFIG_I: Configured from console by vty0 (10.168.100.xx)

.May 4 20:39:03 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable

.May 4 20:40:12 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no ip route 10.1.253.21 255.255.255.

255 6x.xxx.xxx.xxx name DR_TEMP_LB0_IP

.May 4 20:40:16 UTC: %SYS-5-CONFIG_I: Configured from console by vty0 (10.168.100.xx)

May 4 20:51:17 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable

May 4 20:51:53 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:ip route 10.1.253.21 255.255.255.255

10.7.1.x name DR_TEMP_LB0_IP

May 4 20:53:11 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no ip route 10.1.253.21 255.255.255.2

55 10.7.1.x name DR_TEMP_LB0_IP

May 4 20:55:02 UTC: %SYS-5-CONFIG_I: Configured from console by vty0 (10.168.100.xx)



HTH

-Jorge


PLS rate any helpful post if it helped



cisco_lad2004 Wed, 05/07/2008 - 13:29
User Badges:
  • Gold, 750 points or more

Jorge,


Excellent post !


Is there any impact at all on the CPU. I think not, since its a simple login, but since IO have never tested this I have to ask.


I use TACACS for loggin users activities, but when 3rd party are on a box, it woudl be nice to see straight away what is being done.


Thanks


Sam

JORGE RODRIGUEZ Wed, 05/07/2008 - 14:59
User Badges:
  • Green, 3000 points or more

Hi Sam, not realy impact on CPU at all, this minimal messaging syslog information, this is only when authorize user or users are logged in to router and at least you can know what was chnaged, but no much proccessing involved on CPU.


I used tacacs long time ago in another job , I loved it, but this feature is great as well , Im sure you can have it in addition with TACACS, it is great, I use Kiwi Cattools to back up routers config and I always noticed even when CatTools access the router to backup the config.


Bst Rgds

Jorge

ohassairi Wed, 05/07/2008 - 02:07
User Badges:
  • Silver, 250 points or more

if you have an ACS server, you could use the accounting function it offers to log administrators commands.

you need to add some commands in rtr:

aaa new-model


aaa accounting commands 1 sabbeb1 start-stop group tacacs+


aaa accounting commands 15 sabbeb2 start-stop group tacacs+


!


tacacs-server host 10.111.100.2 key kilmitissir


!


line vty 0 4


accounting commands 1 sabbeb1


accounting commands 15 sabbeb2


and to configure ACS server properly


Actions

This Discussion