Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX command accounting to ACS3.2

Is PIX OS capable of accounting all commands entered (similar to Cat IOS accounting)? I want to be able to log commands...I don't neccesarily need to log traffic through the PIX.

7 REPLIES
New Member

Re: PIX command accounting to ACS3.2

This is what I am also looking for.

Myer, if you found out how to do it pls add a reply to your post here.

Thanks.

New Member

Re: PIX command accounting to ACS3.2

I just found out that is cannot be done.

:-(

New Member

Re: PIX command accounting to ACS3.2

From where? I am about to open a TAC case with ACS group.

New Member

Re: PIX command accounting to ACS3.2

I have a friend with some years of work experience with PIX firewalls, I just asked him ...

Opening a TAC case would be a great idea. They may know more, like if in ver 7 we will have this feature.

Good luck and pls keep us updated :-)

New Member

Re: PIX command accounting to ACS3.2

Okay, I found out that there is no command accounting available...however, you can use Syslog to track who did what. Here is a link to "Authentication & Command Authorization for PIX 6.2". Go to the Accounting section.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml#accounting

This was given to me by a TAC engineer. Also, one of my CCIE friends verified that the PIX cannot do accounting on CLI commands...only on user services being passed through the PIX. Hope this helps!!

New Member

Re: PIX command accounting to ACS3.2

indeed it helps. i'll do syslog then.

thanks a lot and good luck.

C

New Member

Re: PIX command accounting to ACS3.2

Hi, I'm having the same problem. the link provide didn't gave me much info. currently I have logging nofication enable and everything is being sent to my syslog server - that's too much. I just want to log messages when someone make changes. I tried using the "no logging message (message-id) but it takes too long. Do you know if I can use the "logging messages" command and specify a range, i.e 11100-111111?

thanks!

166
Views
0
Helpful
7
Replies
CreatePlease to create content