Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4383
Views
2
Helpful
9
Replies

How to send accounting logs to remote syslog server - Nexus 9k

aok
Level 1
Level 1

‎02-03-2021 09:36 AM

Hello

 

We are setting up a new SIEM and one of the requirements is to track accounting information, such as users logging in to the devices and making configuration changes. On the Cisco N9Ks, the output of the "show accounting log" is what we need to send, is there a way to do that?

 

Thanks

2 people had this problem
Labels:
0 Helpful
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎02-03-2021 09:53 AM

show accounting log  - only send to accounting server.

May be you can configure account server to export those logs to SIEM.

 

some reference :

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html#wp1152764

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

francois.darveau1
Level 1
Level 1

‎09-23-2021 04:21 PM

Hi

 

Did you ever found a way!?

 

Thanks

0 Helpful

Georg Pauwen
VIP
VIP
In response to francois.darveau1

‎09-23-2021 11:29 PM

Hello,

 

did you ever try EEM scripts such as the one below ? The sample script would send the output of your show command to a TFTP server each day at 8PM:

 

event manager applet LOG_SIEM
event timer cron cron-entry "0 20 * * *"
action 0001 cli command "enable"
action 0002 cli command "show accounting log | redirect tftp://xx.xx.xx.xx/filename"

0 Helpful

francois.darveau1
Level 1
Level 1
In response to Georg Pauwen

‎09-29-2021 05:03 AM

Hello,

I did not try it. Somehow one of the 2 SIEM configured as logging servers is receiving the accounting log from the Nexus.

 

2021 Sep 23 19:54:25 PDT: %AAA-6-AAA_ACCOUNTING_MESSAGE: update:xx.zz.ww.zz@PTS/2:myuser:added user test2

 

I am trying to understand how.

 

Regards,

0 Helpful

aok
Level 1
Level 1

‎09-27-2021 01:01 PM

We ended up linking the Nexus device aaa to a Radius server, so the accounting logs would go to the Radius server and then directly from Radius server to the SIEM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to aok

‎09-27-2021 03:28 PM

yes that option also good choice.. rather doing 2 different places

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP
In response to aok

‎09-27-2021 03:35 PM

Hello,

 

out of curiosity, what does the final configuration look like ?

0 Helpful

sjdr
Level 1
Level 1

‎11-12-2021 07:35 AM

Hello,

 

I would be glad, If someone could post the/a final solution.

I am a little bit confused on this.

Customer is using MS NPS, which is Radius. On several sites it was said, that logging (config changes etc) can only be sent to TACACS... maybe this has changed in the last releases. (however, i did not find other information)

 

Can someone explain a little bit mor detailed? Thank you in advance.

0 Helpful

francois.darveau1
Level 1
Level 1
In response to sjdr

‎11-15-2021 05:24 AM

Hello,

 

I am able to send the accounting logs using LDAPS as authentication.


The way I found is to set the aaa logging level to 6:

logging level aaa 6

 

As for the logging server, severity needs to be set as information:

logging server xxx.yy.ww.zz 6

 

Here a example extrated from the SIEM:

11 08 2021 15:45:47 10.195.204.66 <LOC7:INFO> : 2021 Nov  8 20:45:47 UTC: %AAA-6-AAA_ACCOUNTING_MESSAGE: update:MyWorkstationIP@PTS/2:MyUSer:modified the configuration for authentication login default

 

Hope this helped.

 

François,

 

 

 

 

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card