cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
169
Views
5
Helpful
4
Replies
ahilton
Beginner

Configuration tracking.

I know I can use CiscoWorks to capture entire configurations on a daily/weekly/monthly basis if I so desire. But what I want, is a tool to capture when someone logs in, and EVERY line of command that they run. I read in the Cisco Secure ACS server that it has this capability, but even after attempting to configure that function, I do not get those kinds of logs. Any help?

2 ACCEPTED SOLUTIONS

Accepted Solutions
steve.busby
Contributor

Ensure you're using the "Accounting" features of AAA.

Something like this for IOS:

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

and for CatOS:

set accounting exec enable stop-only tacacs+

set accounting commands enable all stop-only tacacs+

Unfortunately, you will have two different logs to look at in CSACS, one for when they log in/out and the other for what commands they ran.

CW2K/RME Configuration Management will capture the actual switch/router configs as you specify down to the hour.

View solution in original post

rmushtaq
Collaborator

CiscoSecure is not meant for config featch, it's meant for doing Authentication, Authorization, and Accounting only.

For doing it in CiscoWorks, the configuration archive automatically detects when a configuration change is made and retrieves the new version of the device configuration. The configuration archive can be updated with configuration changes in three ways:

The change probe process listens to configuration changes on the devices through

syslog messages. When a configuration change is detected, the archive retrieves the latest configuration. You schedule a manual retrieval of all configurations. You schedule the SNMP poller to detect configuration changes on the device.

You can modify how and when the configuration archive retrieves configurations b

y selecting one or all of the following:

Listen to Syslog Messages

Config Retrieval Schedule

SNMP Poller Schedule

See the CiscoWorks docs for more details.

you can also use the free ware tool for this, CiscoConf from: http://cosi-nms.sourceforge.net/alpha-progs.html

View solution in original post

4 REPLIES 4
steve.busby
Contributor

Ensure you're using the "Accounting" features of AAA.

Something like this for IOS:

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

and for CatOS:

set accounting exec enable stop-only tacacs+

set accounting commands enable all stop-only tacacs+

Unfortunately, you will have two different logs to look at in CSACS, one for when they log in/out and the other for what commands they ran.

CW2K/RME Configuration Management will capture the actual switch/router configs as you specify down to the hour.

View solution in original post

rmushtaq
Collaborator

CiscoSecure is not meant for config featch, it's meant for doing Authentication, Authorization, and Accounting only.

For doing it in CiscoWorks, the configuration archive automatically detects when a configuration change is made and retrieves the new version of the device configuration. The configuration archive can be updated with configuration changes in three ways:

The change probe process listens to configuration changes on the devices through

syslog messages. When a configuration change is detected, the archive retrieves the latest configuration. You schedule a manual retrieval of all configurations. You schedule the SNMP poller to detect configuration changes on the device.

You can modify how and when the configuration archive retrieves configurations b

y selecting one or all of the following:

Listen to Syslog Messages

Config Retrieval Schedule

SNMP Poller Schedule

See the CiscoWorks docs for more details.

you can also use the free ware tool for this, CiscoConf from: http://cosi-nms.sourceforge.net/alpha-progs.html

View solution in original post

So, it sounds like there isn't a way to see the commands that someone runs. And then a comparison has to be made between the "old" config and the "new" config. Hmmm..I know via Hyperterm or Putty SSH I can create a "log" that captures every command run and screen viewed, that may be something to investigate for tracking purposes as well for this audience that is very concerned with changes being made.

Thanks for the info!

With the commands in the first reply, CSACS can log commands entered in privilege mode.

In CSACS, go to system configuration and click on logging. Ensure that TACACS+ Administration is checked. You cna also modify what is being logged by clicking the hyperlink.

Next, click reports & Activities then TACACS+ Administration. You should have a list of CSV files containing commands entered on the routers/switches.

Content for Community-Ad