How to log command history type into the console?

Unanswered Question
Oct 10th, 2008

Good morning.

For auditing purposes, we need to log which commands where type into the ASA console, with user and time.

Could you tell me which is the command? I can't find it... it has change from "Archive".

This will also log the commands introduced via the graphic interphase, right? After all, it's just a front end that sends commands to the cisco router.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sat, 10/11/2008 - 03:07

Well you could do it via AAA, even with that the ASA will only show the username enable_15. Even if you do 'logging buffered debug' you will see each command typed, but it won't should you the specific user:

111008: User 'enable_15' executed the 'logging on' command

Regards

Farrukh

gcsnetexpert Sat, 10/11/2008 - 05:45

Well you should use AAA to complete your requirment or you can enable logging by building one logging server and using below mentioned commands

logging enable

logging timestamp

logging console informational

logging buffered informational

logging trap informational

logging facility 23

logging queue 2048

logging host xxx.xxx.xxx.xxx(Loging server ip) format emblem (if using linex server)

logging host Inside_mgt 192.168.1.1(logging server Ip for window server

juan.scopp Wed, 11/12/2008 - 04:25

Thanks for the response, guys, but it's not working.

I even tried using logging trap debugging, to send EVERYTHING to our syslog, and nothing... all I see is this level of logs, no other type of "User 'X' executed cmd:" messeges.:

201115721 10.3.1.1 local7 15:17:28 Nov %ASA-7-111009: User 'X' executed cmd: show version

201115735 10.3.1.1 local7 15:17:28 Nov %ASA-7-111009: User 'X' executed cmd: show running-config aaa authorization

201115683 10.3.1.1 local7 15:17:20 Nov %ASA-7-111009: User 'X' executed cmd: show module 1 details

200968772 10.3.1.1 local7 09:34:14 Nov %ASA-7-111009: User 'X' executed cmd: show version

I can't see any other commands typed, it's very weird. I also tried with logging buffered debugging, sending the messeges to an FTP server and it's the same.

I can't see any more messeges than these.

Anyone has any more ideas?

juan.scopp Wed, 11/12/2008 - 10:35

Hey, I just saw something on the net.

Those commands that were logged are READ ONLY commands, that why they are logged only on debugging level.

On notification (level 5), you get this kind of messeges.

%ASA-5-111008: User 'X' executed the 'dir disk0:/dap.xml' command.

On this, I don't get the messeges I should get about creating new access rule.

Anyone knows if these should be logged with the number 111008 also or is it another syslog number?

Thanks!

Actions

This Discussion