cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4381
Views
2
Helpful
9
Replies

How to send accounting logs to remote syslog server - Nexus 9k

aok
Level 1
Level 1

Hello

 

We are setting up a new SIEM and one of the requirements is to track accounting information, such as users logging in to the devices and making configuration changes. On the Cisco N9Ks, the output of the "show accounting log" is what we need to send, is there a way to do that?

 

Thanks

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

show accounting log  - only send to accounting server.

May be you can configure account server to export those logs to SIEM.

 

some reference :

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html#wp1152764

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi

 

Did you ever found a way!?

 

Thanks

Hello,

 

did you ever try EEM scripts such as the one below ? The sample script would send the output of your show command to a TFTP server each day at 8PM:

 

event manager applet LOG_SIEM
event timer cron cron-entry "0 20 * * *"
action 0001 cli command "enable"
action 0002 cli command "show accounting log | redirect tftp://xx.xx.xx.xx/filename"

Hello,

I did not try it. Somehow one of the 2 SIEM configured as logging servers is receiving the accounting log from the Nexus.

 

2021 Sep 23 19:54:25 PDT: %AAA-6-AAA_ACCOUNTING_MESSAGE: update:xx.zz.ww.zz@PTS/2:myuser:added user test2

 

I am trying to understand how.

 

Regards,

aok
Level 1
Level 1

We ended up linking the Nexus device aaa to a Radius server, so the accounting logs would go to the Radius server and then directly from Radius server to the SIEM

yes that option also good choice.. rather doing 2 different places

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

 

out of curiosity, what does the final configuration look like ?

sjdr
Level 1
Level 1

Hello,

 

I would be glad, If someone could post the/a final solution.

I am a little bit confused on this.

Customer is using MS NPS, which is Radius. On several sites it was said, that logging (config changes etc) can only be sent to TACACS... maybe this has changed in the last releases. (however, i did not find other information)

 

Can someone explain a little bit mor detailed? Thank you in advance.

Hello,

 

I am able to send the accounting logs using LDAPS as authentication.


The way I found is to set the aaa logging level to 6:

logging level aaa 6

 

As for the logging server, severity needs to be set as information:

logging server xxx.yy.ww.zz 6

 

Here a example extrated from the SIEM:

11 08 2021 15:45:47 10.195.204.66 <LOC7:INFO> : 2021 Nov  8 20:45:47 UTC: %AAA-6-AAA_ACCOUNTING_MESSAGE: update:MyWorkstationIP@PTS/2:MyUSer:modified the configuration for authentication login default

 

Hope this helped.

 

François,

 

 

 

 

Review Cisco Networking for a $25 gift card