logging executed commands on Cisco switch

Discussion in 'Cisco' started by aleu@vp.pl, Nov 28, 2008.

  1. Guest

    Hi everybody,

    I have a switch and a firewall. Firewall sends logs with the information
    who has logged in to it, when, from which IP and what commands executed
    to my syslog collector (linux server.) This is the configuration:
    logging enable
    logging timestamp
    logging trap notifications
    logging history informational <-- what is the meaning of this line?
    logging asdm notifications <-- what is the meaning of this line?
    logging host inside 192.168.14.120

    I would like to configure the switch to do the same. Information about
    the port going up or down or a user logging in is being sent correctly.
    However, information about executed commands is not. This is the
    relevant switch configuration:
    service timestamps log datetime msec localtime show-timezone
    logging facility local5
    logging 192.168.14.120
    logging trap notifications
    login on-success log

    Any idea what is missing in my switch configuration?

    AL
     
    , Nov 28, 2008
    #1
    1. Advertising

  2. bod43 Guest

    On 28 Nov, 03:08, "" <> wrote:
    > Hi everybody,
    >
    > I have a switch and a firewall. Firewall sends logs with the information
    > who has logged in to it, when, from which IP and what commands executed
    > to my syslog collector (linux server.) This is the configuration:
    > logging enable
    > logging timestamp
    > logging trap notifications
    > logging history informational <-- what is the meaning of this line?
    > logging asdm notifications <-- what is the meaning of this line?
    > logging host inside 192.168.14.120
    >
    > I would like to configure the switch to do the same. Information about
    > the port going up or down or a user logging in is being sent correctly.
    > However, information about executed commands is not. This is the
    > relevant switch configuration:
    > service timestamps log datetime msec localtime show-timezone
    > logging facility local5
    > logging 192.168.14.120
    > logging trap notifications
    > login on-success log
    >
    > Any idea what is missing in my switch configuration?


    I believe that the only way to do this on a router
    is to use a TACACS server and configure command authentication.
    The TACACS server can be configured to log the commands
    for which authentication is requested.

    Not sure though.

    Interestingly router core dumps contain a list of
    recent commands that have been executed -
    but I dont even know if one can be forced.
     
    bod43, Nov 28, 2008
    #2
    1. Advertising

  3. bod43 Guest

    On 28 Nov, 17:02, bod43 <> wrote:
    > On 28 Nov, 03:08, "" <> wrote:
    >
    >
    >
    >
    >
    > > Hi everybody,

    >
    > > I have a switch and a firewall. Firewall sends logs with the information
    > > who has logged in to it, when, from which IP and what commands executed
    > > to my syslog collector (linux server.) This is the configuration:
    > > logging enable
    > > logging timestamp
    > > logging trap notifications
    > > logging history informational <-- what is the meaning of this line?
    > > logging asdm notifications <-- what is the meaning of this line?
    > > logging host inside 192.168.14.120

    >
    > > I would like to configure the switch to do the same. Information about
    > > the port going up or down or a user logging in is being sent correctly.
    > > However, information about executed commands is not. This is the
    > > relevant switch configuration:
    > > service timestamps log datetime msec localtime show-timezone
    > > logging facility local5
    > > logging 192.168.14.120
    > > logging trap notifications
    > > login on-success log

    >
    > > Any idea what is missing in my switch configuration?

    >
    > I believe that the only way to do this on a router
    > is to use a TACACS server and configure command authentication.
    > The TACACS server can be configured to log the commands
    > for which authentication is requested.
    >
    > Not sure though.
    >
    > Interestingly router core dumps contain a list of
    > recent commands that have been executed -
    > but I dont even know if one can be forced.- Hide quoted text -


    Seems I may have been wrong (again:).
    This does send it to the routers local log
    and it seems will be syslog(ged) too.

    event manager applet CLIaccounting
    event cli pattern ".*" sync no skip no
    action 1.0 syslog priority informational msg "$_cli_msg"
    set 2.0 _exit_status 1

    007148: Nov 28 17:21:29.055 GMT: %HA_EM-6-LOG: CLIaccounting: show
    logging
    007149: Nov 28 17:21:38.744 GMT: %HA_EM-6-LOG: CLIaccounting: show
    running-config

    From -
    http://blog.ioshints.info/2006/11/cli-command-logging-without-tacacs.html

    I don't understand it (at present) - but this is very handy.
     
    bod43, Nov 28, 2008
    #3
  4. bod43 Guest

    On 28 Nov, 17:25, bod43 <> wrote:
    > On 28 Nov, 17:02, bod43 <> wrote:
    >
    >
    >
    >
    >
    > > On 28 Nov, 03:08, "" <> wrote:

    >
    > > > Hi everybody,

    >
    > > > I have a switch and a firewall. Firewall sends logs with the information
    > > > who has logged in to it, when, from which IP and what commands executed
    > > > to my syslog collector (linux server.) This is the configuration:
    > > > logging enable
    > > > logging timestamp
    > > > logging trap notifications
    > > > logging history informational <-- what is the meaning of this line?
    > > > logging asdm notifications <-- what is the meaning of this line?
    > > > logging host inside 192.168.14.120

    >
    > > > I would like to configure the switch to do the same. Information about

    >


    > event manager applet CLIaccounting


    Forgot to mention that this may be quite a new feature
    and it may not be available on your platform or software.

    All I can say for sure is that it is present on 12.4(15)T7.

    More here:-
    Table 2.
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/datasheet_c78-492444.html
     
    bod43, Nov 28, 2008
    #4
  5. News Reader Guest

    wrote:
    > Hi everybody,
    >
    > I have a switch and a firewall. Firewall sends logs with the information
    > who has logged in to it, when, from which IP and what commands executed
    > to my syslog collector (linux server.) This is the configuration:
    > logging enable
    > logging timestamp
    > logging trap notifications
    > logging history informational <-- what is the meaning of this line?
    > logging asdm notifications <-- what is the meaning of this line?
    > logging host inside 192.168.14.120
    >
    > I would like to configure the switch to do the same. Information about
    > the port going up or down or a user logging in is being sent correctly.
    > However, information about executed commands is not. This is the
    > relevant switch configuration:
    > service timestamps log datetime msec localtime show-timezone
    > logging facility local5
    > logging 192.168.14.120
    > logging trap notifications
    > login on-success log
    >
    > Any idea what is missing in my switch configuration?
    >
    > AL


    For IOS devices you might use the following to generate syslog entries
    for logins:

    login block-for 120 attempts 4 within 120
    login on-failure log
    login on-success log

    .... and the following to generate syslog entries for the executed commands:

    archive
    log config
    logging enable
    notify syslog
    hidekeys

    .... if your platform and IOS version supports them.

    Best Regards,
    News Reader
     
    News Reader, Nov 28, 2008
    #5
  6. Guest

    wrote:
    > I would like to configure the switch to do the same. Information about
    > the port going up or down or a user logging in is being sent correctly.
    > However, information about executed commands is not. This is the
    > relevant switch configuration:
    > service timestamps log datetime msec localtime show-timezone
    > logging facility local5
    > logging 192.168.14.120
    > logging trap notifications
    > login on-success log
    >
    > Any idea what is missing in my switch configuration?


    Thank you guys. I will try both approaches.
    AL
     
    , Nov 29, 2008
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brad Hazelbaker

    Logging commands in IOS

    Brad Hazelbaker, Dec 10, 2003, in forum: Cisco
    Replies:
    2
    Views:
    585
    Terry Baranski
    Dec 12, 2003
  2. Christian Roos

    logging buffered vs. logging history

    Christian Roos, Feb 5, 2006, in forum: Cisco
    Replies:
    4
    Views:
    15,388
  3. Trouble
    Replies:
    1
    Views:
    2,038
    Doug McIntyre
    Aug 23, 2006
  4. veena bhaskar
    Replies:
    1
    Views:
    3,545
    garithscott
    Oct 16, 2008
  5. RichA
    Replies:
    96
    Views:
    806
    Wolfgang Weisselberg
    Jun 7, 2013
Loading...

Share This Page