«

Hi everybody,

I have a switch and a firewall. Firewall sends logs with the information
who has logged in to it, when, from which IP and what commands executed
to my syslog collector (linux server.) This is the configuration:
logging enable
logging timestamp
logging trap notifications
logging history informational <-- what is the meaning of this line?
logging asdm notifications <-- what is the meaning of this line?
logging host inside 192.168.14.120

I would like to configure the switch to do the same. Information about
the port going up or down or a user logging in is being sent correctly.
However, information about executed commands is not. This is the
relevant switch configuration:
service timestamps log datetime msec localtime show-timezone
logging facility local5
logging 192.168.14.120
logging trap notifications
login on-success log

Any idea what is missing in my switch configuration?

AL

On 28 Nov, 03:08, "a...@vp.pl" <a...@vp.pl> wrote:
> Hi everybody,
>
> I have a switch and a firewall. Firewall sends logs with the information
> who has logged in to it, when, from which IP and what commands executed
> to my syslog collector (linux server.) This is the configuration:
> logging enable
> logging timestamp
> logging trap notifications
> logging history informational <-- what is the meaning of this line?
> logging asdm notifications <-- what is the meaning of this line?
> logging host inside 192.168.14.120
>
> I would like to configure the switch to do the same. Information about
> the port going up or down or a user logging in is being sent correctly.
> However, information about executed commands is not. This is the
> relevant switch configuration:
> service timestamps log datetime msec localtime show-timezone
> logging facility local5
> logging 192.168.14.120
> logging trap notifications
> login on-success log
>
> Any idea what is missing in my switch configuration?

I believe that the only way to do this on a router
is to use a TACACS server and configure command authentication.
The TACACS server can be configured to log the commands
for which authentication is requested.

Not sure though.

Interestingly router core dumps contain a list of
recent commands that have been executed -
but I dont even know if one can be forced.

On 28 Nov, 17:02, bod43 <Bo...@hotmail.co.uk> wrote:
> On 28 Nov, 03:08, "a...@vp.pl" <a...@vp.pl> wrote:
>
>
>
>
>
> > Hi everybody,
>
> > I have a switch and a firewall. Firewall sends logs with the information
> > who has logged in to it, when, from which IP and what commands executed
> > to my syslog collector (linux server.) This is the configuration:
> > logging enable
> > logging timestamp
> > logging trap notifications
> > logging history informational <-- what is the meaning of this line?
> > logging asdm notifications <-- what is the meaning of this line?
> > logging host inside 192.168.14.120
>
> > I would like to configure the switch to do the same. Information about
> > the port going up or down or a user logging in is being sent correctly.
> > However, information about executed commands is not. This is the
> > relevant switch configuration:
> > service timestamps log datetime msec localtime show-timezone
> > logging facility local5
> > logging 192.168.14.120
> > logging trap notifications
> > login on-success log
>
> > Any idea what is missing in my switch configuration?
>
> I believe that the only way to do this on a router
> is to use a TACACS server and configure command authentication.
> The TACACS server can be configured to log the commands
> for which authentication is requested.
>
> Not sure though.
>
> Interestingly router core dumps contain a list of
> recent commands that have been executed -
> but I dont even know if one can be forced.- Hide quoted text -

Seems I may have been wrong (again.
This does send it to the routers local log
and it seems will be syslog(ged) too.

event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1

007148: Nov 28 17:21:29.055 GMT: %HA_EM-6-LOG: CLIaccounting: show
logging
007149: Nov 28 17:21:38.744 GMT: %HA_EM-6-LOG: CLIaccounting: show
running-config

From -
http://blog.ioshints.info/2006/11/cl...ut-tacacs.html

I don't understand it (at present) - but this is very handy.

On 28 Nov, 17:25, bod43 <Bo...@hotmail.co.uk> wrote:
> On 28 Nov, 17:02, bod43 <Bo...@hotmail.co.uk> wrote:
>
>
>
>
>
> > On 28 Nov, 03:08, "a...@vp.pl" <a...@vp.pl> wrote:
>
> > > Hi everybody,
>
> > > I have a switch and a firewall. Firewall sends logs with the information
> > > who has logged in to it, when, from which IP and what commands executed
> > > to my syslog collector (linux server.) This is the configuration:
> > > logging enable
> > > logging timestamp
> > > logging trap notifications
> > > logging history informational <-- what is the meaning of this line?
> > > logging asdm notifications <-- what is the meaning of this line?
> > > logging host inside 192.168.14.120
>
> > > I would like to configure the switch to do the same. Information about
>

> event manager applet CLIaccounting

Forgot to mention that this may be quite a new feature
and it may not be available on your platform or software.

All I can say for sure is that it is present on 12.4(15)T7.

More here:-
Table 2.
http://www.cisco.com/en/US/prod/coll...78-492444.html

wrote:
> Hi everybody,
>
> I have a switch and a firewall. Firewall sends logs with the information
> who has logged in to it, when, from which IP and what commands executed
> to my syslog collector (linux server.) This is the configuration:
> logging enable
> logging timestamp
> logging trap notifications
> logging history informational <-- what is the meaning of this line?
> logging asdm notifications <-- what is the meaning of this line?
> logging host inside 192.168.14.120
>
> I would like to configure the switch to do the same. Information about
> the port going up or down or a user logging in is being sent correctly.
> However, information about executed commands is not. This is the
> relevant switch configuration:
> service timestamps log datetime msec localtime show-timezone
> logging facility local5
> logging 192.168.14.120
> logging trap notifications
> login on-success log
>
> Any idea what is missing in my switch configuration?
>
> AL

For IOS devices you might use the following to generate syslog entries
for logins:

login block-for 120 attempts 4 within 120
login on-failure log
login on-success log

.... and the following to generate syslog entries for the executed commands:

archive
log config
logging enable
notify syslog
hidekeys

.... if your platform and IOS version supports them.

Best Regards,
News Reader

wrote:
> I would like to configure the switch to do the same. Information about
> the port going up or down or a user logging in is being sent correctly.
> However, information about executed commands is not. This is the
> relevant switch configuration:
> service timestamps log datetime msec localtime show-timezone
> logging facility local5
> logging 192.168.14.120
> logging trap notifications
> login on-success log
>
> Any idea what is missing in my switch configuration?

Thank you guys. I will try both approaches.
AL