Hi everybody,
I have a switch and a firewall. Firewall sends logs with the information who has logged in to it, when, from which IP and what commands executed to my syslog collector (linux server.) This is the configuration: logging enable logging timestamp logging trap notifications logging history informational
I believe that the only way to do this on a router is to use a TACACS server and configure command authentication. The TACACS server can be configured to log the commands for which authentication is requested.
Not sure though.
Interestingly router core dumps contain a list of recent commands that have been executed - but I dont even know if one can be forced.
Seems I may have been wrong (again:). This does send it to the routers local log and it seems will be syslog(ged) too.
event manager applet CLIaccounting event cli pattern ".*" sync no skip no action 1.0 syslog priority informational msg "$_cli_msg" set 2.0 _exit_status 1
007148: Nov 28 17:21:29.055 GMT: %HA_EM-6-LOG: CLIaccounting: show logging 007149: Nov 28 17:21:38.744 GMT: %HA_EM-6-LOG: CLIaccounting: show running-configFrom -
Forgot to mention that this may be quite a new feature and it may not be available on your platform or software.
All I can say for sure is that it is present on 12.4(15)T7.
More here:- Table 2.
For IOS devices you might use the following to generate syslog entries for logins:
login block-for 120 attempts 4 within 120 login on-failure log login on-success log
... and the following to generate syslog entries for the executed commands:
archive log config logging enable notify syslog hidekeys
... if your platform and IOS version supports them.
Best Regards, News Reader
Thank you guys. I will try both approaches. AL
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.