07-02-2007 12:56 PM
is there a way to have a switch send a copy of the commands enterned into it, to a syslog server or in ACS. i want to have a logg of what commands where entered a switch and by who. i have LMS 2.6 and ACS 3.3.... any ideas
07-02-2007 01:07 PM
with ACS 3.3 (got some serious bugs, you might want to conside upgrading to 4.1.3 build 12 patch 2) and LMS 2.6 you've got a good set of things to work with. Just enable TACACS+ in your AAA configuration for authorization, authentication and accounting and that information is automatically populated in the TACACS+ log file. Source, device, whom, when .. its all there.
If you supply a model of switch we can give you a sample for your configuration.
07-02-2007 01:42 PM
I have acs sending me when a person logs in with there username, I also have rme sending me a email when the config is changed. but where do I get the exact commands they entered, I'm looking for something like the show history output. I need a email kicked off. a trap sent to my mars.
07-03-2007 04:46 AM
Hmm your asking a bit much for ACS to do all of that, you'll need a third party app to parse your logs. I can recomend AAA-Reports! with the automation module (free demo) to provide some of the functionality you listed. I use it for reporting on some 5,500 devices.
The log you're loooking for is under Reports and Activity, TACACS+ Administration which lists (when you enable the fields) :
Date Time User-Name Group-Name cmd priv-lvl service NAS-Portname task_id NAS-IP-Address reason Caller-Id Acct-Flags Acct-Method Acct-Type Acct-Service
You can simple sort the output in excel (tm)by the user name field to get a per user listing of all the commands they entered.
07-03-2007 04:52 AM
thanks for the recomendation, i'll take a look at that app. i think i have a problem with my tacas+ accounting. i'm told thats where the command by command loggs are kept.
07-05-2007 02:37 AM
The tacacs+ accounting log only contains the start and stop messages for TACACS+ sessions... for a complete picture you need to correlate both logs for a picture of when a session started fromt the accounting log, what commands were issued from the administration log, and when the session concluded from the accounting log.
07-03-2007 07:37 AM
i checked the application out, and it looks to do the same thing as my mars box does.
any suggestions on how i can get a command by command logg, even if its outside of ACS ?
07-05-2007 12:30 PM
Rodney
If the switch is configured correctly then there should be entries in the ACS administrative logs showing the commands. I am not clear from your post whether this is working, but assume that it is not. This makes me assume that either your switch is not configured correctly or that your ACS is not doing the administrative logs correctly. Can you post the configuration of the switch?
HTH
Rick
07-05-2007 12:42 PM
i have the problem resolved, i ended up being a combination of two things, i needed to have the TACACS+ Administration logging enabled in the correct way, and reported to my MARS box to send me the emails, thank you all for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide