07-27-2006 07:38 PM - edited 02-21-2020 01:04 AM
Hi,
Is there a way to log firewall admin commands being issued at the firewall? Like for example, sending it to a TACACS+ server?
Thanks for the help.
Solved! Go to Solution.
07-27-2006 08:29 PM
Hello noipt,
Command accounting can be configured ONLY in PIX v7.x. Also, it looks like that only non-show commands will be sent.
Per the command reference
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
aaa accounting command
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a1_711.htm#wp1428200
For version 6.x,
Authentication and Command Authorization for PIX 6.2
http://www.cisco.com/warp/public/110/pix_command.shtml#accounting
There is no actual command accounting available, but by having syslog activated on the PIX, you can see what actions were performed, as shown in this example:
307002: Permitted Telnet login session from 172.18.124.111
111006: Console Login from pixtest at console
611103: User logged out: Uname: pixtest
307002: Permitted Telnet login session from 172.18.124.111
111006: Console Login from pixtest at console
502103: User priv level changed: Uname: pixtest From: 1 To: 15
111008: User 'pixtest' executed the 'enable' command.
111007: Begin configuration: 172.18.124.111 reading from terminal
111008: User 'pixtest' executed the 'configure t' command.
111008: User 'pixtest' executed the 'write t' command.
Hope this helps! If so, please rate.
Thanks
07-27-2006 08:29 PM
Hello noipt,
Command accounting can be configured ONLY in PIX v7.x. Also, it looks like that only non-show commands will be sent.
Per the command reference
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
aaa accounting command
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a1_711.htm#wp1428200
For version 6.x,
Authentication and Command Authorization for PIX 6.2
http://www.cisco.com/warp/public/110/pix_command.shtml#accounting
There is no actual command accounting available, but by having syslog activated on the PIX, you can see what actions were performed, as shown in this example:
307002: Permitted Telnet login session from 172.18.124.111
111006: Console Login from pixtest at console
611103: User logged out: Uname: pixtest
307002: Permitted Telnet login session from 172.18.124.111
111006: Console Login from pixtest at console
502103: User priv level changed: Uname: pixtest From: 1 To: 15
111008: User 'pixtest' executed the 'enable' command.
111007: Begin configuration: 172.18.124.111 reading from terminal
111008: User 'pixtest' executed the 'configure t' command.
111008: User 'pixtest' executed the 'write t' command.
Hope this helps! If so, please rate.
Thanks
07-27-2006 11:02 PM
Hi Hermondoz, Thank you for that speedy response. Helps me a lot!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide