Cisco Routers and Switches Audit
Overview
The following is a list of commands required to activate the log of messages and send them via syslog. These commands have been tested with Cisco IOS version 12.
Enable logging of the command line
Router # configure terminal
Router (config) #archive
Router (config-archive) # log config
Router (config-archive) # logging enable
Router (config-archive) # logging size 200
Router (config-archive) # notify syslog
Configure sending to syslog
Router # configure terminal
Router (config) #logging host <ip server thinkserver>
Router (config) #end
Messages by severity level
If you want to limit the sending of only a few messages (by severity level) you can use the trap command:
Router # configure terminal
Enter configuration commands, one per line. End with CNTL /Z.
Router (config) #logging trap informational
Router (config) #end
NOTE: It is important that the level is set to informational as the command audit arrives using this severity.
Filter messages
As of version 12.4 of IOS, access can be audited without having a centralized authentication server (for example RADIUS). Depending on the type of logon that needs to be audited, it can be activated by executing the following configuration commands:
Router (config) # login on-success log
Router (config) # login on-failure log
NOTE: In some devices, it has been found that, despite the arrival of the log on event, the user name arrives blank. The cause of this issue is still to be determined.
Hidekeys (Important!)
To avoid displaying a password written in a command, when creating a user for example, it is necessary to activate it with the hidekeys command to hide the password via encryption.
Router # configure terminal
Router (config) # archive
Router (config-archive) # log config
Router (config-archive-log-config) # hidekeys
Router (config-archive-log-config) # end
Filter messages (optional)
You can filter certain messages, the event link up/down interface is not critical.
Router # configure terminal
Router (config) #interface Serial 0/0
Router (config-if) #no logging event link-status
Router (config-if) #no logging event dlci-status-change
Router (config-if) #no logging event subif-link-status
Router (config-if) #exit
Router (config) #end