Solved: Define events send to external Syslog Server (e.g. new local user)

holmigeirr · ‎09-29-2023

Hello together,

I've got some Catalyst 9200 (IOS XE 17.06.04) here that are configured to send syslog messages to an external syslog server.

So far, it works fine. The 9200 are sending their syslog messages to the server. For example, when a local user logs into a switch, a syslog event is generated and sent to the syslog server, same on logout.

But: I have a few scenarios that should generate syslog messages, and I'm not shure if it is possible with these switches:
When a new local user is created or deleted on the switch,
when a new local group is created,
when a user's privileges are changed
and some more.

I tested it, none of these cases produces a syslog message.

Changing the loglevel to debug didn't bring any improvement either (with command "logging snmp-trap debugging"; I'm not even shure it this affects syslog messages and snmp traps or only snmp traps; description says "set syslog level for snmp trap").

Numerous messages that are of no interest to me are logged via syslog, but I can't find how to log if a local user oder a local group is deleted or created.

Is it possible to configure syslog on the C9200 more individually so that user deletions, privilege changes, etc. are also logged via syslog?

Thanks

holmigeirr

balaji.bandi · ‎09-29-2023

I have simple config :

archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext

logging source-interface Loopback0
logging host x.x.x.x

try added user and deleted and works as below (is this what you looking ?)

%SYS-5-CONFIG_I: Configured from console by AAAA on vty0 (x.x.x.x)
%PARSER-5-CFGLOG_LOGGEDCMD: User:AAAA logged command:notify syslog contenttype plaintext
%SYS-5-CONFIG_I: Configured from console by AAAA on vty0 (x.x.x.x)
%PARSER-5-CFGLOG_LOGGEDCMD: User:AAAA logged command:username bbandi1 privilege 7 secret 9 *
%PARSER-5-CFGLOG_LOGGEDCMD: User:AAAA logged command:!config: USER TABLE MODIFIED
%PARSER-5-CFGLOG_LOGGEDCMD: User:AAA logged command:no username bbandi1
%SYS-5-CONFIG_I: Configured from console by AAAA on vty0 (x.x.x.x)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎09-29-2023

I have simple config :

archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext

logging source-interface Loopback0
logging host x.x.x.x

try added user and deleted and works as below (is this what you looking ?)

%SYS-5-CONFIG_I: Configured from console by AAAA on vty0 (x.x.x.x)
%PARSER-5-CFGLOG_LOGGEDCMD: User:AAAA logged command:notify syslog contenttype plaintext
%SYS-5-CONFIG_I: Configured from console by AAAA on vty0 (x.x.x.x)
%PARSER-5-CFGLOG_LOGGEDCMD: User:AAAA logged command:username bbandi1 privilege 7 secret 9 *
%PARSER-5-CFGLOG_LOGGEDCMD: User:AAAA logged command:!config: USER TABLE MODIFIED
%PARSER-5-CFGLOG_LOGGEDCMD: User:AAA logged command:no username bbandi1
%SYS-5-CONFIG_I: Configured from console by AAAA on vty0 (x.x.x.x)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help