Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > logging executed commands on Cisco switch

Reply
Thread Tools

logging executed commands on Cisco switch

 
 
aleu@vp.pl
Guest
Posts: n/a
 
      11-28-2008
Hi everybody,

I have a switch and a firewall. Firewall sends logs with the information
who has logged in to it, when, from which IP and what commands executed
to my syslog collector (linux server.) This is the configuration:
logging enable
logging timestamp
logging trap notifications
logging history informational <-- what is the meaning of this line?
logging asdm notifications <-- what is the meaning of this line?
logging host inside 192.168.14.120

I would like to configure the switch to do the same. Information about
the port going up or down or a user logging in is being sent correctly.
However, information about executed commands is not. This is the
relevant switch configuration:
service timestamps log datetime msec localtime show-timezone
logging facility local5
logging 192.168.14.120
logging trap notifications
login on-success log

Any idea what is missing in my switch configuration?

AL
 
Reply With Quote
 
 
 
 
bod43
Guest
Posts: n/a
 
      11-28-2008
On 28 Nov, 03:08, "(E-Mail Removed)" <(E-Mail Removed)> wrote:
> Hi everybody,
>
> I have a switch and a firewall. Firewall sends logs with the information
> who has logged in to it, when, from which IP and what commands executed
> to my syslog collector (linux server.) This is the configuration:
> logging enable
> logging timestamp
> logging trap notifications
> logging history informational <-- what is the meaning of this line?
> logging asdm notifications <-- what is the meaning of this line?
> logging host inside 192.168.14.120
>
> I would like to configure the switch to do the same. Information about
> the port going up or down or a user logging in is being sent correctly.
> However, information about executed commands is not. This is the
> relevant switch configuration:
> service timestamps log datetime msec localtime show-timezone
> logging facility local5
> logging 192.168.14.120
> logging trap notifications
> login on-success log
>
> Any idea what is missing in my switch configuration?


I believe that the only way to do this on a router
is to use a TACACS server and configure command authentication.
The TACACS server can be configured to log the commands
for which authentication is requested.

Not sure though.

Interestingly router core dumps contain a list of
recent commands that have been executed -
but I dont even know if one can be forced.

 
Reply With Quote
 
 
 
 
bod43
Guest
Posts: n/a
 
      11-28-2008
On 28 Nov, 17:02, bod43 <(E-Mail Removed)> wrote:
> On 28 Nov, 03:08, "(E-Mail Removed)" <(E-Mail Removed)> wrote:
>
>
>
>
>
> > Hi everybody,

>
> > I have a switch and a firewall. Firewall sends logs with the information
> > who has logged in to it, when, from which IP and what commands executed
> > to my syslog collector (linux server.) This is the configuration:
> > logging enable
> > logging timestamp
> > logging trap notifications
> > logging history informational <-- what is the meaning of this line?
> > logging asdm notifications <-- what is the meaning of this line?
> > logging host inside 192.168.14.120

>
> > I would like to configure the switch to do the same. Information about
> > the port going up or down or a user logging in is being sent correctly.
> > However, information about executed commands is not. This is the
> > relevant switch configuration:
> > service timestamps log datetime msec localtime show-timezone
> > logging facility local5
> > logging 192.168.14.120
> > logging trap notifications
> > login on-success log

>
> > Any idea what is missing in my switch configuration?

>
> I believe that the only way to do this on a router
> is to use a TACACS server and configure command authentication.
> The TACACS server can be configured to log the commands
> for which authentication is requested.
>
> Not sure though.
>
> Interestingly router core dumps contain a list of
> recent commands that have been executed -
> but I dont even know if one can be forced.- Hide quoted text -


Seems I may have been wrong (again.
This does send it to the routers local log
and it seems will be syslog(ged) too.

event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1

007148: Nov 28 17:21:29.055 GMT: %HA_EM-6-LOG: CLIaccounting: show
logging
007149: Nov 28 17:21:38.744 GMT: %HA_EM-6-LOG: CLIaccounting: show
running-config

From -
http://blog.ioshints.info/2006/11/cl...ut-tacacs.html

I don't understand it (at present) - but this is very handy.

 
Reply With Quote
 
bod43
Guest
Posts: n/a
 
      11-28-2008
On 28 Nov, 17:25, bod43 <(E-Mail Removed)> wrote:
> On 28 Nov, 17:02, bod43 <(E-Mail Removed)> wrote:
>
>
>
>
>
> > On 28 Nov, 03:08, "(E-Mail Removed)" <(E-Mail Removed)> wrote:

>
> > > Hi everybody,

>
> > > I have a switch and a firewall. Firewall sends logs with the information
> > > who has logged in to it, when, from which IP and what commands executed
> > > to my syslog collector (linux server.) This is the configuration:
> > > logging enable
> > > logging timestamp
> > > logging trap notifications
> > > logging history informational <-- what is the meaning of this line?
> > > logging asdm notifications <-- what is the meaning of this line?
> > > logging host inside 192.168.14.120

>
> > > I would like to configure the switch to do the same. Information about

>


> event manager applet CLIaccounting


Forgot to mention that this may be quite a new feature
and it may not be available on your platform or software.

All I can say for sure is that it is present on 12.4(15)T7.

More here:-
Table 2.
http://www.cisco.com/en/US/prod/coll...78-492444.html
 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      11-28-2008
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> Hi everybody,
>
> I have a switch and a firewall. Firewall sends logs with the information
> who has logged in to it, when, from which IP and what commands executed
> to my syslog collector (linux server.) This is the configuration:
> logging enable
> logging timestamp
> logging trap notifications
> logging history informational <-- what is the meaning of this line?
> logging asdm notifications <-- what is the meaning of this line?
> logging host inside 192.168.14.120
>
> I would like to configure the switch to do the same. Information about
> the port going up or down or a user logging in is being sent correctly.
> However, information about executed commands is not. This is the
> relevant switch configuration:
> service timestamps log datetime msec localtime show-timezone
> logging facility local5
> logging 192.168.14.120
> logging trap notifications
> login on-success log
>
> Any idea what is missing in my switch configuration?
>
> AL


For IOS devices you might use the following to generate syslog entries
for logins:

login block-for 120 attempts 4 within 120
login on-failure log
login on-success log

.... and the following to generate syslog entries for the executed commands:

archive
log config
logging enable
notify syslog
hidekeys

.... if your platform and IOS version supports them.

Best Regards,
News Reader
 
Reply With Quote
 
aleu@vp.pl
Guest
Posts: n/a
 
      11-29-2008
(E-Mail Removed) wrote:
> I would like to configure the switch to do the same. Information about
> the port going up or down or a user logging in is being sent correctly.
> However, information about executed commands is not. This is the
> relevant switch configuration:
> service timestamps log datetime msec localtime show-timezone
> logging facility local5
> logging 192.168.14.120
> logging trap notifications
> login on-success log
>
> Any idea what is missing in my switch configuration?


Thank you guys. I will try both approaches.
AL
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to output the commands that are executed in a python script? Peng Yu Python 1 04-06-2010 03:11 AM
logging to CISCO lan switch 3560 through key based SSH authentication. veena bhaskar Hardware 1 10-16-2008 09:59 AM
Cisco 2924 switch commands for multiple ports Trouble Cisco 1 08-23-2006 12:10 AM
Need Help Differentiating Bad Commands From Incomplete Commands Tim Stanka Python 1 08-02-2004 02:08 AM
Re: man pages for C commands (GCC commands) Ben Pfaff C Programming 4 06-28-2003 06:21 PM



Advertisments