Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Log configuration changes to syslog on Nexus 7000?

I need to be able to log any configuration changes to syslog on our Nexus switches. On IOS this is easy with the archive commands, but I'm a little stuck trying to do this on our Nexus gear. On the IOS gear I run the commands:

archive

log config

logging enable

logging size 100

hidekeys

notify syslog

 

How do I do the equivalent on NX-OS?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

​Cisco NX-OS can log

​Cisco NX-OS can log configuration change events along with the individual changes when AAA command accounting is enabled.

With command accounting enabled, all CLI commands entered, including configuration commands, are logged to the configured AAA server. Using this information, a forensic trail for configuration change events along with the individual commands entered for those changes can be recorded and reviewed.

Because of this capability, it is strongly advised that AAA command accounting be enabled and configured.

Refer to the “TACACS+ Command Accounting” section of this document for more information.

The Nexus 7000, by default keeps a local accounting log of all the configuration commands entered on the device; you can view this with the 'show accounting log' command.


In NX-OS, we changed the way logging works.  We keep a local accounting log of all the
configuration changes ("show accounting log"), but if you want to send those logs to a
server, it must be done with through a TACACS server.  Please see the below documentation:

Configuring AAA on Nexus

TACACS command accounting

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

-Thanks Vinod **Rating Encourages contributors, and its really free. **
15 REPLIES
Cisco Employee

​Cisco NX-OS can log

​Cisco NX-OS can log configuration change events along with the individual changes when AAA command accounting is enabled.

With command accounting enabled, all CLI commands entered, including configuration commands, are logged to the configured AAA server. Using this information, a forensic trail for configuration change events along with the individual commands entered for those changes can be recorded and reviewed.

Because of this capability, it is strongly advised that AAA command accounting be enabled and configured.

Refer to the “TACACS+ Command Accounting” section of this document for more information.

The Nexus 7000, by default keeps a local accounting log of all the configuration commands entered on the device; you can view this with the 'show accounting log' command.


In NX-OS, we changed the way logging works.  We keep a local accounting log of all the
configuration changes ("show accounting log"), but if you want to send those logs to a
server, it must be done with through a TACACS server.  Please see the below documentation:

Configuring AAA on Nexus

TACACS command accounting

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

-Thanks Vinod **Rating Encourages contributors, and its really free. **
New Member

Thanks! I knew about the

Thanks! I knew about the accounting log, just didn't know about the rest. 

Cisco Employee

Glad, it helped! -ThanksVinod

Glad, it helped! 

-Thanks

Vinod

-Thanks Vinod **Rating Encourages contributors, and its really free. **
New Member

Is there a way to send it to

Is there a way to send it to the AAA server (tacacs in my case) *and* to syslog?  AAA server groups only send a message to the first server that responds; I need it sent to both processes.  Plus, it appears that I can only define RADIUS and TACACS accounting servers, and I need to be able to configure a SysLog accounting server.

New Member

I have the same question. We

I have the same question. We use AAA info in our syslog for troubleshooting, but for the Nexus platform we have not found a way to send it to syslog in the same way we do with the archive-command in IOS.

 

Cheers!

DearI have the same need.I

Dear
I have the same need.
I need to send the configuration change logs to a syslog server.
Does anyone know if it is possible and how to do? (Could pass me the reference documentation).

Thanks!

Everton
New Member

Have you guys found a

Have you guys found a solution on how to forward these AAA accounting logs to syslog? We are also looking for a way to do that.

It works fine with the "archive" command for all our Catalyst switches but unfortunately not for our new Nexus devices. Thats too bad.

With FreeRadius and AAA accounting enabled on the Nexus, then the accouting info is saved at, one folder per device...

/var/log/radius/radacct/<mgmt-ip>

The best way would be if that information could be sent to the normal syslog process that is running on the same server. Or if not possible we would need a way to forward that information into syslog.

Any ideas or possible solutions?

Any help is much appreciated :-)

New Member

No updates yet, unfortunately

No updates yet, unfortunately.  I've had thoughts about using EEM to do something interesting.  If I post something to SysLog via EEM, something (VSH I think) gets logged in the accounting logs, so I can't do it based on an update to the accounting log because it would be an infinite loop.

I haven't spent more than one evening plugging away at this one though, so I don't have a definitive answer.  Would be awesome though!  ASA and IOS/IOSXE both do it, it's a shame NXOS doesn't.

Bronze

Same issue, no solution found

Same issue, no solution found yet.

New Member

Re: Log configuration changes to syslog on Nexus 7000?

Hi everyone my solution that:

 

switch(config)# logging logfile [name] 6
switch(config)# logging level aaa 6 
switch(config)# logging server X.X.X.X 6

Work Nexus5K/7K

New Member

Re: Log configuration changes to syslog on Nexus 7000?

Oh wow, thats the simplest way to configure command logging in Nexus-switches!

 

Works for N9k (Nexus 9000) as well.

 

 

New Member

Re: Log configuration changes to syslog on Nexus 7000?

This also works when you want the Log ACL to be written to a common logfile
Example:
ip access-list EXAMPLE
   statistics per-entry
   10 permit tcp X.X.X.X / 24 any log
   20 permit tcp X.X.X.X / 32 any log
   30 deny ip any any log

If something will match u could see it in the temporary information
show log ip access-list cache
show log ip access-list status

If you want send it to logfile, do:

switch (config) # logging level acllog 6
switch (config) # acllog match-log-level 6
switch (config) # logging logfile [name] 6
logging server X.X.X.X 6

New Member

Re: Log configuration changes to syslog on Nexus 7000?

Tnx  for the solution,

I've got only one question, Is there a reason why you make use of an extra logfile?

Is that so only your "level"6 messages go in there?

 

regards

New Member

Re: Log configuration changes to syslog on Nexus 7000?

I think if you know the exact name of your current logfile, and specify it, then the log will be written to the current file.
These were my productive switches and I did not want to do many experiments. with a "level5 I did not work.

New Member

Re: Log configuration changes to syslog on Nexus 7000?

Txn for your reply

Next week I'm going to test with an 9K , hope I will find some answers.;-)

 

regards

Michel

 

 

7242
Views
20
Helpful
15
Replies
CreatePlease to create content