logging executed commands on Cisco switch

Discussion in 'Cisco' started by aleu, Nov 28, 2008.

  1. aleu

    aleu Guest

    Hi everybody,

    I have a switch and a firewall. Firewall sends logs with the information
    who has logged in to it, when, from which IP and what commands executed
    to my syslog collector (linux server.) This is the configuration:
    logging enable
    logging timestamp
    logging trap notifications
    logging history informational <-- what is the meaning of this line?
    logging asdm notifications <-- what is the meaning of this line?
    logging host inside

    I would like to configure the switch to do the same. Information about
    the port going up or down or a user logging in is being sent correctly.
    However, information about executed commands is not. This is the
    relevant switch configuration:
    service timestamps log datetime msec localtime show-timezone
    logging facility local5
    logging trap notifications
    login on-success log

    Any idea what is missing in my switch configuration?

    aleu, Nov 28, 2008
    1. Advertisements

  2. aleu

    bod43 Guest

    I believe that the only way to do this on a router
    is to use a TACACS server and configure command authentication.
    The TACACS server can be configured to log the commands
    for which authentication is requested.

    Not sure though.

    Interestingly router core dumps contain a list of
    recent commands that have been executed -
    but I dont even know if one can be forced.
    bod43, Nov 28, 2008
    1. Advertisements

  3. aleu

    bod43 Guest

    Seems I may have been wrong (again:).
    This does send it to the routers local log
    and it seems will be syslog(ged) too.

    event manager applet CLIaccounting
    event cli pattern ".*" sync no skip no
    action 1.0 syslog priority informational msg "$_cli_msg"
    set 2.0 _exit_status 1

    007148: Nov 28 17:21:29.055 GMT: %HA_EM-6-LOG: CLIaccounting: show
    007149: Nov 28 17:21:38.744 GMT: %HA_EM-6-LOG: CLIaccounting: show

    From -

    I don't understand it (at present) - but this is very handy.
    bod43, Nov 28, 2008
  4. aleu

    bod43 Guest

    bod43, Nov 28, 2008
  5. aleu

    News Reader Guest

    For IOS devices you might use the following to generate syslog entries
    for logins:

    login block-for 120 attempts 4 within 120
    login on-failure log
    login on-success log

    .... and the following to generate syslog entries for the executed commands:

    log config
    logging enable
    notify syslog

    .... if your platform and IOS version supports them.

    Best Regards,
    News Reader
    News Reader, Nov 28, 2008
  6. aleu

    aleu Guest

    Thank you guys. I will try both approaches.
    aleu, Nov 29, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.