05-04-2004 12:41 PM - edited 03-02-2019 03:27 PM
I know I can use CiscoWorks to capture entire configurations on a daily/weekly/monthly basis if I so desire. But what I want, is a tool to capture when someone logs in, and EVERY line of command that they run. I read in the Cisco Secure ACS server that it has this capability, but even after attempting to configure that function, I do not get those kinds of logs. Any help?
Solved! Go to Solution.
05-04-2004 12:59 PM
Ensure you're using the "Accounting" features of AAA.
Something like this for IOS:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
and for CatOS:
set accounting exec enable stop-only tacacs+
set accounting commands enable all stop-only tacacs+
Unfortunately, you will have two different logs to look at in CSACS, one for when they log in/out and the other for what commands they ran.
CW2K/RME Configuration Management will capture the actual switch/router configs as you specify down to the hour.
05-04-2004 01:16 PM
CiscoSecure is not meant for config featch, it's meant for doing Authentication, Authorization, and Accounting only.
For doing it in CiscoWorks, the configuration archive automatically detects when a configuration change is made and retrieves the new version of the device configuration. The configuration archive can be updated with configuration changes in three ways:
The change probe process listens to configuration changes on the devices through
syslog messages. When a configuration change is detected, the archive retrieves the latest configuration. You schedule a manual retrieval of all configurations. You schedule the SNMP poller to detect configuration changes on the device.
You can modify how and when the configuration archive retrieves configurations b
y selecting one or all of the following:
Listen to Syslog Messages
Config Retrieval Schedule
SNMP Poller Schedule
See the CiscoWorks docs for more details.
you can also use the free ware tool for this, CiscoConf from: http://cosi-nms.sourceforge.net/alpha-progs.html
05-04-2004 12:59 PM
Ensure you're using the "Accounting" features of AAA.
Something like this for IOS:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
and for CatOS:
set accounting exec enable stop-only tacacs+
set accounting commands enable all stop-only tacacs+
Unfortunately, you will have two different logs to look at in CSACS, one for when they log in/out and the other for what commands they ran.
CW2K/RME Configuration Management will capture the actual switch/router configs as you specify down to the hour.
05-04-2004 01:16 PM
CiscoSecure is not meant for config featch, it's meant for doing Authentication, Authorization, and Accounting only.
For doing it in CiscoWorks, the configuration archive automatically detects when a configuration change is made and retrieves the new version of the device configuration. The configuration archive can be updated with configuration changes in three ways:
The change probe process listens to configuration changes on the devices through
syslog messages. When a configuration change is detected, the archive retrieves the latest configuration. You schedule a manual retrieval of all configurations. You schedule the SNMP poller to detect configuration changes on the device.
You can modify how and when the configuration archive retrieves configurations b
y selecting one or all of the following:
Listen to Syslog Messages
Config Retrieval Schedule
SNMP Poller Schedule
See the CiscoWorks docs for more details.
you can also use the free ware tool for this, CiscoConf from: http://cosi-nms.sourceforge.net/alpha-progs.html
05-05-2004 09:28 AM
So, it sounds like there isn't a way to see the commands that someone runs. And then a comparison has to be made between the "old" config and the "new" config. Hmmm..I know via Hyperterm or Putty SSH I can create a "log" that captures every command run and screen viewed, that may be something to investigate for tracking purposes as well for this audience that is very concerned with changes being made.
Thanks for the info!
08-11-2004 06:10 AM
With the commands in the first reply, CSACS can log commands entered in privilege mode.
In CSACS, go to system configuration and click on logging. Ensure that TACACS+ Administration is checked. You cna also modify what is being logged by clicking the hyperlink.
Next, click reports & Activities then TACACS+ Administration. You should have a list of CSV files containing commands entered on the routers/switches.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide