1. Home
  2. Cisco Systems
  3. Log everything to syslog

Log everything to syslog

I'd like to log everything that happens on the vty lines to my syslog server. As it is right now, however, I'm only receiving notification when someone leaves config. I'd like to log all login attempts and all commands entered on the vty lines. How can I do this?

Here is my current sh log:

Syslog logging: enabled (1 messages dropped, 87 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled) Console logging: disabled Monitor logging: level debugging, 3 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 15 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled

No active filter modules.

Trap logging: level debugging, 1897 message lines logged Logging to 10.0.0.2(global) (udp port 514, audit disabled, link up), 14 message lines logged, xml disabled, filtering disabled

Log Buffer (16384 bytes)

Reply to
bthetford
Loading thread data ...

I suspect that you can achieve what you want with TACACS. IIRC I have seen this working many years ago but I am not 100% sure.

Another approach is to use the syslog message that you mention to trigger the saving of a config file copy off of the router. This results in a config file version audit trail which is nearly as good. Cisco works provides the above (was/is Resource Manager Essentials)

Reply to
Bod43

Maybe you could increase the level of debugging and put an access list on the line vty section with a log at then of the sentence of the ACL.

access-list permit ip any any log

then you will receive the message right from the VTY "daemon". That answers your wishing to know who connects to the router. How to log the commands, I don't know. I know the pix does but I'm not sure for the routers.

Alex.

Reply to
AM

Short answer = it can be done with the use of Tacacs

Long answer Tacacs allows you to give right to USER login only to certain devices Tacacs allows you to assign privilege level to USER - as the result USER is limited to run only certain commands Tacacs allows you to have FULL history of USER activity (when, from where, what device, what USER did) etc etc

There are 2 ways to achieve it:

  1. fancy and expensive = buy CiscoWorks packages (ACS has tacacs with accounting, RME/NMS has the rest) - check with your reseller

  1. cheap and ugly = use opensource software Tacacs is free - you can download it from cisco or somewhere else Get your hands dirty with shell scripting

Either way - you need to have the following in the router/switch config:

aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ .... aaa accounting commands 7 default start-stop group tacacs+ .... aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default stop-only group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ tacacs-server host 1.1.1.1 key bla-bla

just my 2c Roman Nakhmanson P.S. for CatOS switches you need to adjust syntax a little

Reply to
Roman Nakhmanson

Thanks. I'll give it a shot.

Reply to
bthetford

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.