I'm having some troubles finding a guide or document on how to enable audit in routers.
I've read the Cisco IOS System Messages Guide vol 1 & 2, for version12.4 (which is the one I'm running on my router). "
I turned on logging on my router correctly and I'm sending everything to a syslog server. The logging trap level is set to debug, so I'm also getting every lower level.
The router is sending messages, for example, for facility codes SYS, LINEPROTO, LINK, SSH, PARSER, SNMP and SEC.
As soon as I turned on logging I started to get SYS, LINK and LINEPROTO messages, but to get the SEC messages I had to turn on logging on each ACL by adding the keyword "log" or "log-input". Something similar happens with PARSER messages (which is logging every command run by any user). I had to configure this by running commands: archive log config logging enable logging size 200 notify syslog
I've seen somewhere that if I use AAA accounting I can get messages even if I don't have TACACS+ server. Is that correct? Does anyone know how can I log AAA events to the syslog?
In the "System Messages Guide" I find a lot of facility codes that I don't get on my syslog server.
Does anyone know if there is any cisco guide that explains how to audit everything on a router? And I don't mean "how to enable logging", because I've done that and I know there is a guide for that. I want to know how to get all messages that are on the "System Message Guide" on my syslog.
I've also read the "Cisco IOS Security Configuration Guide" and I haven't found a clear explanation to enable "full system logging".
Thanks in advance!