logging executed commands on Cisco switch

Discussion in 'Cisco' started by aleu, Nov 28, 2008.

  1. aleu

    aleu Guest

    Hi everybody,

    I have a switch and a firewall. Firewall sends logs with the information
    who has logged in to it, when, from which IP and what commands executed
    to my syslog collector (linux server.) This is the configuration:
    logging enable
    logging timestamp
    logging trap notifications
    logging history informational <-- what is the meaning of this line?
    logging asdm notifications <-- what is the meaning of this line?
    logging host inside 192.168.14.120

    I would like to configure the switch to do the same. Information about
    the port going up or down or a user logging in is being sent correctly.
    However, information about executed commands is not. This is the
    relevant switch configuration:
    service timestamps log datetime msec localtime show-timezone
    logging facility local5
    logging 192.168.14.120
    logging trap notifications
    login on-success log

    Any idea what is missing in my switch configuration?

    AL
     
    aleu, Nov 28, 2008
    #1
    1. Advertisements

  2. aleu

    bod43 Guest

    I believe that the only way to do this on a router
    is to use a TACACS server and configure command authentication.
    The TACACS server can be configured to log the commands
    for which authentication is requested.

    Not sure though.

    Interestingly router core dumps contain a list of
    recent commands that have been executed -
    but I dont even know if one can be forced.
     
    bod43, Nov 28, 2008
    #2
    1. Advertisements

  3. aleu

    bod43 Guest

    Seems I may have been wrong (again:).
    This does send it to the routers local log
    and it seems will be syslog(ged) too.

    event manager applet CLIaccounting
    event cli pattern ".*" sync no skip no
    action 1.0 syslog priority informational msg "$_cli_msg"
    set 2.0 _exit_status 1

    007148: Nov 28 17:21:29.055 GMT: %HA_EM-6-LOG: CLIaccounting: show
    logging
    007149: Nov 28 17:21:38.744 GMT: %HA_EM-6-LOG: CLIaccounting: show
    running-config

    From -
    http://blog.ioshints.info/2006/11/cli-command-logging-without-tacacs.html

    I don't understand it (at present) - but this is very handy.
     
    bod43, Nov 28, 2008
    #3
  4. aleu

    bod43 Guest

    bod43, Nov 28, 2008
    #4
  5. aleu

    News Reader Guest

    For IOS devices you might use the following to generate syslog entries
    for logins:

    login block-for 120 attempts 4 within 120
    login on-failure log
    login on-success log

    .... and the following to generate syslog entries for the executed commands:

    archive
    log config
    logging enable
    notify syslog
    hidekeys

    .... if your platform and IOS version supports them.

    Best Regards,
    News Reader
     
    News Reader, Nov 28, 2008
    #5
  6. aleu

    aleu Guest

    Thank you guys. I will try both approaches.
    AL
     
    aleu, Nov 29, 2008
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.