Log everything to syslog

Discussion in 'Cisco' started by bthetford, Sep 26, 2006.

  1. bthetford

    bthetford Guest

    I'd like to log everything that happens on the vty lines to my syslog
    server.
    As it is right now, however, I'm only receiving notification when
    someone leaves config.
    I'd like to log all login attempts and all commands entered on the vty
    lines.
    How can I do this?

    Here is my current sh log:

    Syslog logging: enabled (1 messages dropped, 87 messages rate-limited,
    0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: disabled
    Monitor logging: level debugging, 3 messages logged, xml disabled,
    filtering disabled
    Buffer logging: level debugging, 15 messages logged, xml disabled,
    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled

    No active filter modules.

    Trap logging: level debugging, 1897 message lines logged
    Logging to 10.0.0.2(global) (udp port 514, audit disabled, link
    up), 14
    message lines logged, xml disabled,
    filtering disabled

    Log Buffer (16384 bytes)
    bthetford, Sep 26, 2006
    #1
    1. Advertising

  2. bthetford

    Guest

    bthetford wrote:
    > I'd like to log everything that happens on the vty lines to my syslog
    > server.
    > As it is right now, however, I'm only receiving notification when
    > someone leaves config.
    > I'd like to log all login attempts and all commands entered on the vty
    > lines.
    > How can I do this?
    >


    I suspect that you can achieve what you want with TACACS.
    IIRC I have seen this working many years ago but I
    am not 100% sure.

    Another approach is to use the syslog message that you
    mention to trigger the saving of a config file copy off of
    the router. This results in a config file version audit trail
    which is nearly as good.
    Cisco works provides the above (was/is Resource
    Manager Essentials)
    , Sep 26, 2006
    #2
    1. Advertising

  3. bthetford

    AM Guest

    wrote:
    > bthetford wrote:
    >
    >>I'd like to log everything that happens on the vty lines to my syslog
    >>server.
    >>As it is right now, however, I'm only receiving notification when
    >>someone leaves config.
    >>I'd like to log all login attempts and all commands entered on the vty
    >>lines.
    >>How can I do this?
    >>

    >
    >
    > I suspect that you can achieve what you want with TACACS.
    > IIRC I have seen this working many years ago but I
    > am not 100% sure.
    >
    > Another approach is to use the syslog message that you
    > mention to trigger the saving of a config file copy off of
    > the router. This results in a config file version audit trail
    > which is nearly as good.
    > Cisco works provides the above (was/is Resource
    > Manager Essentials)
    >


    Maybe you could increase the level of debugging and put an access list on the line vty section with a log at then of the
    sentence of the ACL.

    access-list permit ip any any log

    then you will receive the message right from the VTY "daemon". That answers your wishing to know who connects to the router.
    How to log the commands, I don't know. I know the pix does but I'm not sure for the routers.

    Alex.
    AM, Sep 26, 2006
    #3
  4. bthetford wrote:
    > I'd like to log everything that happens on the vty lines to my syslog server.
    > As it is right now, however, I'm only receiving notification when someone leaves config.
    > I'd like to log all login attempts and all commands entered on the vty lines.
    > How can I do this?


    Short answer = it can be done with the use of Tacacs

    Long answer
    Tacacs allows you to give right to USER login only to certain devices
    Tacacs allows you to assign privilege level to USER - as the result
    USER is limited to run only certain commands
    Tacacs allows you to have FULL history of USER activity (when, from
    where, what device, what USER did)
    etc etc

    There are 2 ways to achieve it:

    1. fancy and expensive = buy CiscoWorks packages (ACS has tacacs with
    accounting, RME/NMS has the rest) - check with your reseller

    2. cheap and ugly = use opensource software
    Tacacs is free - you can download it from cisco or somewhere else
    Get your hands dirty with shell scripting

    Either way - you need to have the following in the router/switch
    config:

    aaa accounting send stop-record authentication failure
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    .....
    aaa accounting commands 7 default start-stop group tacacs+
    .....
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default stop-only group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    tacacs-server host 1.1.1.1 key bla-bla

    just my 2c
    Roman Nakhmanson
    P.S. for CatOS switches you need to adjust syntax a little
    Roman Nakhmanson, Sep 26, 2006
    #4
  5. bthetford

    bthetford Guest

    Thanks.
    I'll give it a shot.
    bthetford, Sep 26, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. s...
    Replies:
    2
    Views:
    588
    Tony Raven
    Jan 3, 2005
  2. Eddie
    Replies:
    2
    Views:
    2,434
    Eddie
    May 23, 2005
  3. Micolas Namur

    sh log and remote syslog servers

    Micolas Namur, Jun 15, 2005, in forum: Cisco
    Replies:
    1
    Views:
    1,446
    Walter Roberson
    Jun 16, 2005
  4. Jerry G.

    Log On Screen Changed. No More Auto-Log On.

    Jerry G., Oct 22, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    527
    Locke Nash Cole
    Oct 22, 2004
  5. Dave

    Log requested URLs to syslog

    Dave, Apr 3, 2007, in forum: Cisco
    Replies:
    0
    Views:
    348
Loading...

Share This Page