Solved: Router access log

eyad_alnaqi · ‎09-23-2008

I wonder if there is a way to log all users access to the router indicating the user account and logging timestamp.

I have implemented logging config commands via Syslog server as the following:

device>enable

device#conf t

device (config)#logging X.X.X.X (IP Address of the Syslog Server)

device(config)#archive

device(config-archive)#log config

device(config-archive-log-config)#

logging enable

device(config-archive-log-config)# logging size 200

device(config-archive-log-config)# notify syslog

However, this only logs all commands entered in the configuration mode. I need to moniter user access for audit purposes. I heard that this can be done using AAA server but I'm not sure. Any help to offer?

Thanks,

cisco24x7 · ‎09-25-2008

Let look at a single line:

Wed Sep 24 13:46:43 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=25 timezone=UTC service=shell start_time=1222278403 priv-lvl=1 cmd=show ip interface brief

at 13:46:43 on Sept 24 2008, user "cciesec"

connected to vty 3 from host 192.168.15.9 to

Cisco router 10.1.1.1 and performed this

command "show ip interface brief"

I am not familiar with TACACS+ running on

Windows platforms. I run TACACS+ on Linux

and Solaris platforms.

View solution in original post

Collin Clark · ‎09-24-2008

Do you want to monitor logins AND all commands, even those outside configuration mode (ie show ip interface brief)?

cisco24x7 · ‎09-24-2008

That can be done easily with AAA accounting.

If you do not want to pay for Cisco ACS,

you can use Freeware TACACS, like this,

from my /var/log/tac_plus.log file:

Wed Sep 24 13:45:43 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=18 timezone=UTC service=shell start_time=1222278343 priv-lvl=15 cmd=configure terminal

Wed Sep 24 13:45:45 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=19 timezone=UTC service=shell start_time=1222278345 priv-lvl=15 cmd=interface Loopback 1

Wed Sep 24 13:45:46 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=20 timezone=UTC service=shell start_time=1222278346 priv-lvl=15 cmd=shutdown

Wed Sep 24 13:45:48 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=21 timezone=UTC service=shell start_time=1222278348 priv-lvl=15 cmd=no shutdown

Wed Sep 24 13:45:48 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=22 timezone=UTC service=shell start_time=1222278348 priv-lvl=0 cmd=end

Wed Sep 24 13:45:51 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=23 timezone=UTC service=shell start_time=1222278351 priv-lvl=15 cmd=write

Wed Sep 24 13:46:41 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=24 timezone=UTC service=shell start_time=1222278401 priv-lvl=0 cmd=disable

Wed Sep 24 13:46:43 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=25 timezone=UTC service=shell start_time=1222278403 priv-lvl=1 cmd=show ip interface brief

aaa new-model

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 0 default stop-only group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

line vty 0 15

accounting exec default

accounting command 0 default

accounting command 1 default

accounting command 15 default

Easy right?

eyad_alnaqi · ‎09-25-2008

yeah this is quite useful but will it log the username used to log in into my router? Also, when I run tac_plus.exe, the log file is not generated. How can I display it using what you mentioned "/var/log/tac_plus.log "?

Many thanks,

cisco24x7 · ‎09-25-2008

Let look at a single line:

Wed Sep 24 13:46:43 2008 10.1.1.1 cciesec tty3 192.168.15.9 stop task_id=25 timezone=UTC service=shell start_time=1222278403 priv-lvl=1 cmd=show ip interface brief

at 13:46:43 on Sept 24 2008, user "cciesec"

connected to vty 3 from host 192.168.15.9 to

Cisco router 10.1.1.1 and performed this

command "show ip interface brief"

I am not familiar with TACACS+ running on

Windows platforms. I run TACACS+ on Linux

and Solaris platforms.