cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1080
Views
0
Helpful
2
Replies

Syslog. Include IP address of VTY in every message (configuration changes)

Vadym Belyayev
Level 1
Level 1

Hello guys,

I have discovered that Huawei has a different syslog messages format when it comes to logging configuration changes in external syslog, however if in Cisco you are using a universal login for many users, it is impossible to know what IP address logged what command..

I know, a solution would be to let every user use its own login, however, I wanted to know is there a way for a Cisco router to associate the vty of the "logged command" originator and include this information in Syslog.

 

Here is the example for Huawei:

%%10SHELL/5/CMD(l):-DevIP=10.219.3.2- 2 -task:vt0 ip:10.200.7.138 user:** command:display logbuffer

 

Cisco kind of includes the final message where is tells what was the IP address of the VTY, however, this IP address is not present in every syslog message as in Huawei.

 

68954: 168799: Sep 22 14:29:21.839: %PARSER-5-CFGLOG_LOGGEDCMD: User:XXXXX logged command:no logging host 10.200.100.10 transport udp port 515

68952: 168796: Sep 22 14:18:25.341: %PARSER-5-CFGLOG_LOGGEDCMD: User:XXXXX logged command:exit

68953: 168797: Sep 22 14:18:26.053: %SYS-5-CONFIG_I: Configured from console by XXXXX on vty5 (10.200.7.138)

 

Is it possible to do something similar in Cisco

1 Accepted Solution

Accepted Solutions

mikaelbje
Level 1
Level 1

If you have Splunk or another enterprise log reporting server you can correlate those events by building a transaction whenever you see a %SYS-5-CONFIG_I event. I have support for this in my Cisco Networks app for Splunk: https://apps.splunk.com/app/1352/ & https://apps.splunk.com/app/1467/

 

Have a look and see what you think.

View solution in original post

2 Replies 2

mikaelbje
Level 1
Level 1

If you have Splunk or another enterprise log reporting server you can correlate those events by building a transaction whenever you see a %SYS-5-CONFIG_I event. I have support for this in my Cisco Networks app for Splunk: https://apps.splunk.com/app/1352/ & https://apps.splunk.com/app/1467/

 

Have a look and see what you think.

Thank you Mikael,

We are using PRTG network monitor and Ciscoworks here in our network..

We finally created a unique login for every user and the way I implemented syslog was using PRTG+Kiwi Syslog server to redirect messages from cisco 4500 to other porn than 514.

 

Thanks for a suggestion!!!

Review Cisco Networking for a $25 gift card