|
logging executed commands on Cisco switch
Hi everybody,
I have a switch and a firewall. Firewall sends logs with the information who has logged in to it, when, from which IP and what commands executed to my syslog collector (linux server.) This is the configuration: logging enable logging timestamp logging trap notifications logging history informational <-- what is the meaning of this line? logging asdm notifications <-- what is the meaning of this line? logging host inside 192.168.14.120 I would like to configure the switch to do the same. Information about the port going up or down or a user logging in is being sent correctly. However, information about executed commands is not. This is the relevant switch configuration: service timestamps log datetime msec localtime show-timezone logging facility local5 logging 192.168.14.120 logging trap notifications login on-success log Any idea what is missing in my switch configuration? AL |
Re: logging executed commands on Cisco switch
On 28 Nov, 03:08, "a...@vp.pl" <a...@vp.pl> wrote:
> Hi everybody, > > I have a switch and a firewall. Firewall sends logs with the information > who has logged in to it, when, from which IP and what commands executed > to my syslog collector (linux server.) This is the configuration: > logging enable > logging timestamp > logging trap notifications > logging history informational <-- what is the meaning of this line? > logging asdm notifications <-- what is the meaning of this line? > logging host inside 192.168.14.120 > > I would like to configure the switch to do the same. Information about > the port going up or down or a user logging in is being sent correctly. > However, information about executed commands is not. This is the > relevant switch configuration: > service timestamps log datetime msec localtime show-timezone > logging facility local5 > logging 192.168.14.120 > logging trap notifications > login on-success log > > Any idea what is missing in my switch configuration? I believe that the only way to do this on a router is to use a TACACS server and configure command authentication. The TACACS server can be configured to log the commands for which authentication is requested. Not sure though. Interestingly router core dumps contain a list of recent commands that have been executed - but I dont even know if one can be forced. |
Re: logging executed commands on Cisco switch
On 28 Nov, 17:02, bod43 <Bo...@hotmail.co.uk> wrote:
> On 28 Nov, 03:08, "a...@vp.pl" <a...@vp.pl> wrote: > > > > > > > Hi everybody, > > > I have a switch and a firewall. Firewall sends logs with the information > > who has logged in to it, when, from which IP and what commands executed > > to my syslog collector (linux server.) This is the configuration: > > logging enable > > logging timestamp > > logging trap notifications > > logging history informational <-- what is the meaning of this line? > > logging asdm notifications <-- what is the meaning of this line? > > logging host inside 192.168.14.120 > > > I would like to configure the switch to do the same. Information about > > the port going up or down or a user logging in is being sent correctly. > > However, information about executed commands is not. This is the > > relevant switch configuration: > > service timestamps log datetime msec localtime show-timezone > > logging facility local5 > > logging 192.168.14.120 > > logging trap notifications > > login on-success log > > > Any idea what is missing in my switch configuration? > > I believe that the only way to do this on a router > is to use a TACACS server and configure command authentication. > The TACACS server can be configured to log the commands > for which authentication is requested. > > Not sure though. > > Interestingly router core dumps contain a list of > recent commands that have been executed - > but I dont even know if one can be forced.- Hide quoted text - Seems I may have been wrong (again:). This does send it to the routers local log and it seems will be syslog(ged) too. event manager applet CLIaccounting event cli pattern ".*" sync no skip no action 1.0 syslog priority informational msg "$_cli_msg" set 2.0 _exit_status 1 007148: Nov 28 17:21:29.055 GMT: %HA_EM-6-LOG: CLIaccounting: show logging 007149: Nov 28 17:21:38.744 GMT: %HA_EM-6-LOG: CLIaccounting: show running-config From - http://blog.ioshints.info/2006/11/cl...ut-tacacs.html I don't understand it (at present) - but this is very handy. |
Re: logging executed commands on Cisco switch
On 28 Nov, 17:25, bod43 <Bo...@hotmail.co.uk> wrote:
> On 28 Nov, 17:02, bod43 <Bo...@hotmail.co.uk> wrote: > > > > > > > On 28 Nov, 03:08, "a...@vp.pl" <a...@vp.pl> wrote: > > > > Hi everybody, > > > > I have a switch and a firewall. Firewall sends logs with the information > > > who has logged in to it, when, from which IP and what commands executed > > > to my syslog collector (linux server.) This is the configuration: > > > logging enable > > > logging timestamp > > > logging trap notifications > > > logging history informational <-- what is the meaning of this line? > > > logging asdm notifications <-- what is the meaning of this line? > > > logging host inside 192.168.14.120 > > > > I would like to configure the switch to do the same. Information about > > event manager applet CLIaccounting Forgot to mention that this may be quite a new feature and it may not be available on your platform or software. All I can say for sure is that it is present on 12.4(15)T7. More here:- Table 2. http://www.cisco.com/en/US/prod/coll...78-492444.html |
Re: logging executed commands on Cisco switch
aleu@vp.pl wrote:
> Hi everybody, > > I have a switch and a firewall. Firewall sends logs with the information > who has logged in to it, when, from which IP and what commands executed > to my syslog collector (linux server.) This is the configuration: > logging enable > logging timestamp > logging trap notifications > logging history informational <-- what is the meaning of this line? > logging asdm notifications <-- what is the meaning of this line? > logging host inside 192.168.14.120 > > I would like to configure the switch to do the same. Information about > the port going up or down or a user logging in is being sent correctly. > However, information about executed commands is not. This is the > relevant switch configuration: > service timestamps log datetime msec localtime show-timezone > logging facility local5 > logging 192.168.14.120 > logging trap notifications > login on-success log > > Any idea what is missing in my switch configuration? > > AL For IOS devices you might use the following to generate syslog entries for logins: login block-for 120 attempts 4 within 120 login on-failure log login on-success log .... and the following to generate syslog entries for the executed commands: archive log config logging enable notify syslog hidekeys .... if your platform and IOS version supports them. Best Regards, News Reader |
Re: logging executed commands on Cisco switch
aleu@vp.pl wrote:
> I would like to configure the switch to do the same. Information about > the port going up or down or a user logging in is being sent correctly. > However, information about executed commands is not. This is the > relevant switch configuration: > service timestamps log datetime msec localtime show-timezone > logging facility local5 > logging 192.168.14.120 > logging trap notifications > login on-success log > > Any idea what is missing in my switch configuration? Thank you guys. I will try both approaches. AL |
| All times are GMT. The time now is 01:18 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.