Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

command logging

is there a way to have a switch send a copy of the commands enterned into it, to a syslog server or in ACS. i want to have a logg of what commands where entered a switch and by who. i have LMS 2.6 and ACS 3.3.... any ideas

8 REPLIES
Silver

Re: command logging

with ACS 3.3 (got some serious bugs, you might want to conside upgrading to 4.1.3 build 12 patch 2) and LMS 2.6 you've got a good set of things to work with. Just enable TACACS+ in your AAA configuration for authorization, authentication and accounting and that information is automatically populated in the TACACS+ log file. Source, device, whom, when .. its all there.

If you supply a model of switch we can give you a sample for your configuration.

New Member

Re: command logging

I have acs sending me when a person logs in with there username, I also have rme sending me a email when the config is changed. but where do I get the exact commands they entered, I'm looking for something like the show history output. I need a email kicked off. a trap sent to my mars.

Silver

Re: command logging

Hmm your asking a bit much for ACS to do all of that, you'll need a third party app to parse your logs. I can recomend AAA-Reports! with the automation module (free demo) to provide some of the functionality you listed. I use it for reporting on some 5,500 devices.

The log you're loooking for is under Reports and Activity, TACACS+ Administration which lists (when you enable the fields) :

Date Time User-Name Group-Name cmd priv-lvl service NAS-Portname task_id NAS-IP-Address reason Caller-Id Acct-Flags Acct-Method Acct-Type Acct-Service

You can simple sort the output in excel (tm)by the user name field to get a per user listing of all the commands they entered.

New Member

Re: command logging

thanks for the recomendation, i'll take a look at that app. i think i have a problem with my tacas+ accounting. i'm told thats where the command by command loggs are kept.

Silver

Re: command logging

The tacacs+ accounting log only contains the start and stop messages for TACACS+ sessions... for a complete picture you need to correlate both logs for a picture of when a session started fromt the accounting log, what commands were issued from the administration log, and when the session concluded from the accounting log.

New Member

Re: command logging

i checked the application out, and it looks to do the same thing as my mars box does.

any suggestions on how i can get a command by command logg, even if its outside of ACS ?

Hall of Fame Super Gold

Re: command logging

Rodney

If the switch is configured correctly then there should be entries in the ACS administrative logs showing the commands. I am not clear from your post whether this is working, but assume that it is not. This makes me assume that either your switch is not configured correctly or that your ACS is not doing the administrative logs correctly. Can you post the configuration of the switch?

HTH

Rick

New Member

Re: command logging

i have the problem resolved, i ended up being a combination of two things, i needed to have the TACACS+ Administration logging enabled in the correct way, and reported to my MARS box to send me the emails, thank you all for your help

148
Views
0
Helpful
8
Replies
CreatePlease to create content