Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Log everything to syslog

Reply
Thread Tools

Log everything to syslog

 
 
bthetford
Guest
Posts: n/a
 
      09-26-2006
I'd like to log everything that happens on the vty lines to my syslog
server.
As it is right now, however, I'm only receiving notification when
someone leaves config.
I'd like to log all login attempts and all commands entered on the vty
lines.
How can I do this?

Here is my current sh log:

Syslog logging: enabled (1 messages dropped, 87 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: disabled
Monitor logging: level debugging, 3 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 15 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled

No active filter modules.

Trap logging: level debugging, 1897 message lines logged
Logging to 10.0.0.2(global) (udp port 514, audit disabled, link
up), 14
message lines logged, xml disabled,
filtering disabled

Log Buffer (16384 bytes)

 
Reply With Quote
 
 
 
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      09-26-2006

bthetford wrote:
> I'd like to log everything that happens on the vty lines to my syslog
> server.
> As it is right now, however, I'm only receiving notification when
> someone leaves config.
> I'd like to log all login attempts and all commands entered on the vty
> lines.
> How can I do this?
>


I suspect that you can achieve what you want with TACACS.
IIRC I have seen this working many years ago but I
am not 100% sure.

Another approach is to use the syslog message that you
mention to trigger the saving of a config file copy off of
the router. This results in a config file version audit trail
which is nearly as good.
Cisco works provides the above (was/is Resource
Manager Essentials)

 
Reply With Quote
 
 
 
 
AM
Guest
Posts: n/a
 
      09-26-2006
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> bthetford wrote:
>
>>I'd like to log everything that happens on the vty lines to my syslog
>>server.
>>As it is right now, however, I'm only receiving notification when
>>someone leaves config.
>>I'd like to log all login attempts and all commands entered on the vty
>>lines.
>>How can I do this?
>>

>
>
> I suspect that you can achieve what you want with TACACS.
> IIRC I have seen this working many years ago but I
> am not 100% sure.
>
> Another approach is to use the syslog message that you
> mention to trigger the saving of a config file copy off of
> the router. This results in a config file version audit trail
> which is nearly as good.
> Cisco works provides the above (was/is Resource
> Manager Essentials)
>


Maybe you could increase the level of debugging and put an access list on the line vty section with a log at then of the
sentence of the ACL.

access-list permit ip any any log

then you will receive the message right from the VTY "daemon". That answers your wishing to know who connects to the router.
How to log the commands, I don't know. I know the pix does but I'm not sure for the routers.

Alex.
 
Reply With Quote
 
Roman Nakhmanson
Guest
Posts: n/a
 
      09-26-2006

bthetford wrote:
> I'd like to log everything that happens on the vty lines to my syslog server.
> As it is right now, however, I'm only receiving notification when someone leaves config.
> I'd like to log all login attempts and all commands entered on the vty lines.
> How can I do this?


Short answer = it can be done with the use of Tacacs

Long answer
Tacacs allows you to give right to USER login only to certain devices
Tacacs allows you to assign privilege level to USER - as the result
USER is limited to run only certain commands
Tacacs allows you to have FULL history of USER activity (when, from
where, what device, what USER did)
etc etc

There are 2 ways to achieve it:

1. fancy and expensive = buy CiscoWorks packages (ACS has tacacs with
accounting, RME/NMS has the rest) - check with your reseller

2. cheap and ugly = use opensource software
Tacacs is free - you can download it from cisco or somewhere else
Get your hands dirty with shell scripting

Either way - you need to have the following in the router/switch
config:

aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
.....
aaa accounting commands 7 default start-stop group tacacs+
.....
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default stop-only group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server host 1.1.1.1 key bla-bla

just my 2c
Roman Nakhmanson
P.S. for CatOS switches you need to adjust syntax a little

 
Reply With Quote
 
bthetford
Guest
Posts: n/a
 
      09-26-2006
Thanks.
I'll give it a shot.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Not Quite Everything for a Theory of Everything fitz VOIP 0 02-28-2010 04:42 PM
perl 5.8.8 make test hangs on ext/Sys/Syslog/t/syslog................... indefinitely Bad Dog Perl Misc 0 08-09-2007 04:47 PM
is there any API available to implement Syslog server using Java (to capture all syslog messages - UDP protocol, port 514)? santa19992000@yahoo.com Java 2 06-20-2006 12:54 PM
Pix 501: Logging everything about ssh to syslog Eddie Cisco 2 05-23-2005 06:18 PM
Syslog replay script for centralized syslog host leroy isaac Perl Misc 1 10-29-2004 04:23 AM



Advertisments