Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Syslog. Include IP address of VTY in every message (configuration changes)

Hello guys,

I have discovered that Huawei has a different syslog messages format when it comes to logging configuration changes in external syslog, however if in Cisco you are using a universal login for many users, it is impossible to know what IP address logged what command..

I know, a solution would be to let every user use its own login, however, I wanted to know is there a way for a Cisco router to associate the vty of the "logged command" originator and include this information in Syslog.

 

Here is the example for Huawei:

%%10SHELL/5/CMD(l):-DevIP=10.219.3.2- 2 -task:vt0 ip:10.200.7.138 user:** command:display logbuffer

 

Cisco kind of includes the final message where is tells what was the IP address of the VTY, however, this IP address is not present in every syslog message as in Huawei.

 

68954: 168799: Sep 22 14:29:21.839: %PARSER-5-CFGLOG_LOGGEDCMD: User:XXXXX logged command:no logging host 10.200.100.10 transport udp port 515

68952: 168796: Sep 22 14:18:25.341: %PARSER-5-CFGLOG_LOGGEDCMD: User:XXXXX logged command:exit

68953: 168797: Sep 22 14:18:26.053: %SYS-5-CONFIG_I: Configured from console by XXXXX on vty5 (10.200.7.138)

 

Is it possible to do something similar in Cisco

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

If you have Splunk or another

If you have Splunk or another enterprise log reporting server you can correlate those events by building a transaction whenever you see a %SYS-5-CONFIG_I event. I have support for this in my Cisco Networks app for Splunk: https://apps.splunk.com/app/1352/ & https://apps.splunk.com/app/1467/

 

Have a look and see what you think.

2 REPLIES
New Member

If you have Splunk or another

If you have Splunk or another enterprise log reporting server you can correlate those events by building a transaction whenever you see a %SYS-5-CONFIG_I event. I have support for this in my Cisco Networks app for Splunk: https://apps.splunk.com/app/1352/ & https://apps.splunk.com/app/1467/

 

Have a look and see what you think.

New Member

Thank you Mikael,We are using

Thank you Mikael,

We are using PRTG network monitor and Ciscoworks here in our network..

We finally created a unique login for every user and the way I implemented syslog was using PRTG+Kiwi Syslog server to redirect messages from cisco 4500 to other porn than 514.

 

Thanks for a suggestion!!!

281
Views
0
Helpful
2
Replies