10-10-2008 04:59 AM - edited 03-11-2019 06:55 AM
Good morning.
For auditing purposes, we need to log which commands where type into the ASA console, with user and time.
Could you tell me which is the command? I can't find it... it has change from "Archive".
This will also log the commands introduced via the graphic interphase, right? After all, it's just a front end that sends commands to the cisco router.
Thanks.
10-11-2008 03:07 AM
Well you could do it via AAA, even with that the ASA will only show the username enable_15. Even if you do 'logging buffered debug' you will see each command typed, but it won't should you the specific user:
111008: User 'enable_15' executed the 'logging on' command
Regards
Farrukh
10-11-2008 05:45 AM
Well you should use AAA to complete your requirment or you can enable logging by building one logging server and using below mentioned commands
logging enable
logging timestamp
logging console informational
logging buffered informational
logging trap informational
logging facility 23
logging queue 2048
logging host
logging host Inside_mgt 192.168.1.1(logging server Ip for window server
11-12-2008 04:25 AM
Thanks for the response, guys, but it's not working.
I even tried using logging trap debugging, to send EVERYTHING to our syslog, and nothing... all I see is this level of logs, no other type of "User 'X' executed cmd:" messeges.:
201115721 10.3.1.1 local7 15:17:28 Nov %ASA-7-111009: User 'X' executed cmd: show version
201115735 10.3.1.1 local7 15:17:28 Nov %ASA-7-111009: User 'X' executed cmd: show running-config aaa authorization
201115683 10.3.1.1 local7 15:17:20 Nov %ASA-7-111009: User 'X' executed cmd: show module 1 details
200968772 10.3.1.1 local7 09:34:14 Nov %ASA-7-111009: User 'X' executed cmd: show version
I can't see any other commands typed, it's very weird. I also tried with logging buffered debugging, sending the messeges to an FTP server and it's the same.
I can't see any more messeges than these.
Anyone has any more ideas?
11-12-2008 10:35 AM
Hey, I just saw something on the net.
Those commands that were logged are READ ONLY commands, that why they are logged only on debugging level.
On notification (level 5), you get this kind of messeges.
%ASA-5-111008: User 'X' executed the 'dir disk0:/dap.xml' command.
On this, I don't get the messeges I should get about creating new access rule.
Anyone knows if these should be logged with the number 111008 also or is it another syslog number?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide