Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
2
Replies

Administrator Command Accounting Pix 515

Go to solution
nojpt
Level 1
Level 1

‎07-27-2006 07:38 PM - edited ‎02-21-2020 01:04 AM

Hi,

Is there a way to log firewall admin commands being issued at the firewall? Like for example, sending it to a TACACS+ server?

Thanks for the help.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hemendoz
Cisco Employee
Cisco Employee

‎07-27-2006 08:29 PM

Hello noipt,

Command accounting can be configured ONLY in PIX v7.x. Also, it looks like that only non-show commands will be sent.

Per the command reference

To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.

aaa accounting command

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a1_711.htm#wp1428200

For version 6.x,

Authentication and Command Authorization for PIX 6.2

http://www.cisco.com/warp/public/110/pix_command.shtml#accounting

There is no actual command accounting available, but by having syslog activated on the PIX, you can see what actions were performed, as shown in this example:

307002: Permitted Telnet login session from 172.18.124.111

111006: Console Login from pixtest at console

611103: User logged out: Uname: pixtest

307002: Permitted Telnet login session from 172.18.124.111

111006: Console Login from pixtest at console

502103: User priv level changed: Uname: pixtest From: 1 To: 15

111008: User 'pixtest' executed the 'enable' command.

111007: Begin configuration: 172.18.124.111 reading from terminal

111008: User 'pixtest' executed the 'configure t' command.

111008: User 'pixtest' executed the 'write t' command.

Hope this helps! If so, please rate.

Thanks

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hemendoz
Cisco Employee
Cisco Employee

‎07-27-2006 08:29 PM

Hello noipt,

Command accounting can be configured ONLY in PIX v7.x. Also, it looks like that only non-show commands will be sent.

Per the command reference

To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.

aaa accounting command

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a1_711.htm#wp1428200

For version 6.x,

Authentication and Command Authorization for PIX 6.2

http://www.cisco.com/warp/public/110/pix_command.shtml#accounting

There is no actual command accounting available, but by having syslog activated on the PIX, you can see what actions were performed, as shown in this example:

307002: Permitted Telnet login session from 172.18.124.111

111006: Console Login from pixtest at console

611103: User logged out: Uname: pixtest

307002: Permitted Telnet login session from 172.18.124.111

111006: Console Login from pixtest at console

502103: User priv level changed: Uname: pixtest From: 1 To: 15

111008: User 'pixtest' executed the 'enable' command.

111007: Begin configuration: 172.18.124.111 reading from terminal

111008: User 'pixtest' executed the 'configure t' command.

111008: User 'pixtest' executed the 'write t' command.

Hope this helps! If so, please rate.

Thanks

0 Helpful

Go to solution
nojpt
Level 1
Level 1
In response to hemendoz

‎07-27-2006 11:02 PM

Hi Hermondoz, Thank you for that speedy response. Helps me a lot!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card