09-23-2008 12:22 AM - edited 03-09-2019 09:32 PM
I wonder if there is a way to log all users access to the router indicating the user account and logging timestamp.
I have implemented logging config commands via Syslog server as the following:
device>enable
device#conf t
device (config)#logging X.X.X.X (IP Address of the Syslog Server)
device(config)#archive
device(config-archive)#log config
device(config-archive-log-config)#
logging enable
device(config-archive-log-config)# logging size 200
device(config-archive-log-config)# notify syslog
However, this only logs all commands entered in the configuration mode. I need to moniter user access for audit purposes. I heard that this can be done using AAA server but I'm not sure. Any help to offer?
Thanks,
Solved! Go to Solution.
09-25-2008 03:18 AM
Let look at a single line:
Wed Sep 24 13:46:43 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=25 timezone=UTC service=shell start_time=1222278403 priv-lvl=1 cmd=show ip interface brief
at 13:46:43 on Sept 24 2008, user "cciesec"
connected to vty 3 from host 192.168.15.9 to
Cisco router 10.1.1.1 and performed this
command "show ip interface brief"
I am not familiar with TACACS+ running on
Windows platforms. I run TACACS+ on Linux
and Solaris platforms.
09-24-2008 08:13 AM
Do you want to monitor logins AND all commands, even those outside configuration mode (ie show ip interface brief)?
09-24-2008 09:50 AM
That can be done easily with AAA accounting.
If you do not want to pay for Cisco ACS,
you can use Freeware TACACS, like this,
from my /var/log/tac_plus.log file:
Wed Sep 24 13:45:43 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=18 timezone=UTC service=shell start_time=1222278343 priv-lvl=15 cmd=configure terminal
Wed Sep 24 13:45:45 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=19 timezone=UTC service=shell start_time=1222278345 priv-lvl=15 cmd=interface Loopback 1
Wed Sep 24 13:45:46 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=20 timezone=UTC service=shell start_time=1222278346 priv-lvl=15 cmd=shutdown
Wed Sep 24 13:45:48 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=21 timezone=UTC service=shell start_time=1222278348 priv-lvl=15 cmd=no shutdown
Wed Sep 24 13:45:48 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=22 timezone=UTC service=shell start_time=1222278348 priv-lvl=0 cmd=end
Wed Sep 24 13:45:51 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=23 timezone=UTC service=shell start_time=1222278351 priv-lvl=15 cmd=write
Wed Sep 24 13:46:41 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=24 timezone=UTC service=shell start_time=1222278401 priv-lvl=0 cmd=disable
Wed Sep 24 13:46:43 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=25 timezone=UTC service=shell start_time=1222278403 priv-lvl=1 cmd=show ip interface brief
aaa new-model
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
line vty 0 15
accounting exec default
accounting command 0 default
accounting command 1 default
accounting command 15 default
Easy right?
09-25-2008 01:32 AM
yeah this is quite useful but will it log the username used to log in into my router? Also, when I run tac_plus.exe, the log file is not generated. How can I display it using what you mentioned "/var/log/tac_plus.log "?
Many thanks,
09-25-2008 03:18 AM
Let look at a single line:
Wed Sep 24 13:46:43 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=25 timezone=UTC service=shell start_time=1222278403 priv-lvl=1 cmd=show ip interface brief
at 13:46:43 on Sept 24 2008, user "cciesec"
connected to vty 3 from host 192.168.15.9 to
Cisco router 10.1.1.1 and performed this
command "show ip interface brief"
I am not familiar with TACACS+ running on
Windows platforms. I run TACACS+ on Linux
and Solaris platforms.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide