AAA accounting and excluding a user.

gpoer · ‎09-10-2002

I need to exclude a monitoring software user name from the "aaa accounting commands" config. However, I have not found a way to do this. Does anyone know how I might be able to exclude users on the IOS end and not the server end?

thanks,

Geoff

ggersch · ‎09-14-2002

Why would you want to? Wouldn't it be better to see what commands the monitoring software is issuing? Also, this way you can be sure that no one has hijacked the user account and is using it for other purposes.

I understand that you probably don't want scads of identical entries in your logs. But, I think this is better than not knowing all the commands that are being issued to your routers.

Greg

gpoer · ‎09-15-2002

True.

However, their is a point where to many logs are just noise. We have over 400,000 logs from the account command level 15 configuration, only about 1000 are not from the monitoring software. Logs are a good thing. Drowning in them is not :). These logs are also duplicate. The monitoring software, scripts and other devices that make dynamic changes on the routers also keep their own logs of the changes they are making. As far as hijacked users, I don't want to turn off exec accounting, just command accounting for specific users. I will still see who has looged in but I will have to correlate logs to see what they did. Not really all that hard, but a step none the less.

Geoff

mbarros · ‎09-19-2002

Hi Geoff,

I'm sorry to get in in your post to ask for help.

I saw that you can audit all commands executed by one user in your configuration. I've tried to do this, but I can't get sucess. The only events I get are "start exec" and "stop exec". I want to see all commands.

May you tell me how is your configuration?

Tks,

Marcelo