is there a way to have a switch send a copy of the commands enterned into it, to a syslog server or in ACS. i want to have a logg of what commands where entered a switch and by who. i have LMS 2.6 and ACS 3.3.... any ideas
with ACS 3.3 (got some serious bugs, you might want to conside upgrading to 4.1.3 build 12 patch 2) and LMS 2.6 you've got a good set of things to work with. Just enable TACACS+ in your AAA configuration for authorization, authentication and accounting and that information is automatically populated in the TACACS+ log file. Source, device, whom, when .. its all there.
If you supply a model of switch we can give you a sample for your configuration.
I have acs sending me when a person logs in with there username, I also have rme sending me a email when the config is changed. but where do I get the exact commands they entered, I'm looking for something like the show history output. I need a email kicked off. a trap sent to my mars.
Hmm your asking a bit much for ACS to do all of that, you'll need a third party app to parse your logs. I can recomend AAA-Reports! with the automation module (free demo) to provide some of the functionality you listed. I use it for reporting on some 5,500 devices.
The log you're loooking for is under Reports and Activity, TACACS+ Administration which lists (when you enable the fields) :
Date Time User-Name Group-Name cmd priv-lvl service NAS-Portname task_id NAS-IP-Address reason Caller-Id Acct-Flags Acct-Method Acct-Type Acct-Service
You can simple sort the output in excel (tm)by the user name field to get a per user listing of all the commands they entered.
The tacacs+ accounting log only contains the start and stop messages for TACACS+ sessions... for a complete picture you need to correlate both logs for a picture of when a session started fromt the accounting log, what commands were issued from the administration log, and when the session concluded from the accounting log.
If the switch is configured correctly then there should be entries in the ACS administrative logs showing the commands. I am not clear from your post whether this is working, but assume that it is not. This makes me assume that either your switch is not configured correctly or that your ACS is not doing the administrative logs correctly. Can you post the configuration of the switch?
i have the problem resolved, i ended up being a combination of two things, i needed to have the TACACS+ Administration logging enabled in the correct way, and reported to my MARS box to send me the emails, thank you all for your help
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...