08-25-2014 01:13 PM
I need to be able to log any configuration changes to syslog on our Nexus switches. On IOS this is easy with the archive commands, but I'm a little stuck trying to do this on our Nexus gear. On the IOS gear I run the commands:
archive
log config
logging enable
logging size 100
hidekeys
notify syslog
How do I do the equivalent on NX-OS?
Solved! Go to Solution.
08-25-2014 05:51 PM
Cisco NX-OS can log configuration change events along with the individual changes when AAA command accounting is enabled.
With command accounting enabled, all CLI commands entered, including configuration commands, are logged to the configured AAA server. Using this information, a forensic trail for configuration change events along with the individual commands entered for those changes can be recorded and reviewed.
Because of this capability, it is strongly advised that AAA command accounting be enabled and configured.
Refer to the “TACACS+ Command Accounting” section of this document for more information.
The Nexus 7000, by default keeps a local accounting log of all the configuration commands entered on the device; you can view this with the 'show accounting log' command.
In NX-OS, we changed the way logging works. We keep a local accounting log of all the
configuration changes ("show accounting log"), but if you want to send those logs to a
server, it must be done with through a TACACS server. Please see the below documentation:
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
08-25-2014 05:51 PM
Cisco NX-OS can log configuration change events along with the individual changes when AAA command accounting is enabled.
With command accounting enabled, all CLI commands entered, including configuration commands, are logged to the configured AAA server. Using this information, a forensic trail for configuration change events along with the individual commands entered for those changes can be recorded and reviewed.
Because of this capability, it is strongly advised that AAA command accounting be enabled and configured.
Refer to the “TACACS+ Command Accounting” section of this document for more information.
The Nexus 7000, by default keeps a local accounting log of all the configuration commands entered on the device; you can view this with the 'show accounting log' command.
In NX-OS, we changed the way logging works. We keep a local accounting log of all the
configuration changes ("show accounting log"), but if you want to send those logs to a
server, it must be done with through a TACACS server. Please see the below documentation:
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
08-26-2014 06:24 AM
Thanks! I knew about the accounting log, just didn't know about the rest.
08-26-2014 06:38 AM
Glad, it helped!
-Thanks
Vinod
02-05-2015 07:01 AM
Is there a way to send it to the AAA server (tacacs in my case) *and* to syslog? AAA server groups only send a message to the first server that responds; I need it sent to both processes. Plus, it appears that I can only define RADIUS and TACACS accounting servers, and I need to be able to configure a SysLog accounting server.
02-09-2015 01:57 AM
I have the same question. We use AAA info in our syslog for troubleshooting, but for the Nexus platform we have not found a way to send it to syslog in the same way we do with the archive-command in IOS.
Cheers!
02-04-2016 03:29 AM
Dear
I have the same need.
I need to send the configuration change logs to a syslog server.
Does anyone know if it is possible and how to do? (Could pass me the reference documentation).
Thanks!
08-30-2016 02:07 AM
Have you guys found a solution on how to forward these AAA accounting logs to syslog? We are also looking for a way to do that.
It works fine with the "archive" command for all our Catalyst switches but unfortunately not for our new Nexus devices. Thats too bad.
With FreeRadius and AAA accounting enabled on the Nexus, then the accouting info is saved at, one folder per device...
/var/log/radius/radacct/<mgmt-ip>
The best way would be if that information could be sent to the normal syslog process that is running on the same server. Or if not possible we would need a way to forward that information into syslog.
Any ideas or possible solutions?
Any help is much appreciated :-)
09-16-2016 07:52 PM
No updates yet, unfortunately. I've had thoughts about using EEM to do something interesting. If I post something to SysLog via EEM, something (VSH I think) gets logged in the accounting logs, so I can't do it based on an update to the accounting log because it would be an infinite loop.
I haven't spent more than one evening plugging away at this one though, so I don't have a definitive answer. Would be awesome though! ASA and IOS/IOSXE both do it, it's a shame NXOS doesn't.
08-03-2017 01:25 AM
Same issue, no solution found yet.
10-18-2017 08:06 AM
Hi everyone my solution that:
switch(config)# logging logfile [name] 6
switch(config)# logging level aaa 6
switch(config)# logging server X.X.X.X 6
Work Nexus5K/7K
10-27-2017 12:26 AM
Oh wow, thats the simplest way to configure command logging in Nexus-switches!
Works for N9k (Nexus 9000) as well.
10-27-2017 06:58 AM - edited 10-27-2017 07:02 AM
This also works when you want the Log ACL to be written to a common logfile
Example:
ip access-list EXAMPLE
statistics per-entry
10 permit tcp X.X.X.X / 24 any log
20 permit tcp X.X.X.X / 32 any log
30 deny ip any any log
If something will match u could see it in the temporary information
show log ip access-list cache
show log ip access-list status
If you want send it to logfile, do:
switch (config) # logging level acllog 6
switch (config) # acllog match-log-level 6
switch (config) # logging logfile [name] 6
logging server X.X.X.X 6
11-17-2017 05:21 AM
Tnx for the solution,
I've got only one question, Is there a reason why you make use of an extra logfile?
Is that so only your "level"6 messages go in there?
regards
11-20-2017 06:28 AM
I think if you know the exact name of your current logfile, and specify it, then the log will be written to the current file.
These were my productive switches and I did not want to do many experiments. with a "level5 I did not work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide