AAA Accounting includes the ability to log a variety of system events, including timestamps, along with associated usernames:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-modelRouter1(config)#aaa accounting exec default start-stop group tacacs+Router1(config)#aaa accounting connection default start-stop group tacacs+Router1(config)#aaa accounting system default stop-only group tacacs+Router1(config)#endRouter1#
In addition to capturing keystroke logs, AAA accounting can gather other useful pieces of information, such as exec, connection, and system events:
- exec
This feature captures and timestamps the beginning and ending of a user’s Exec session on the router.
- connection
This allows you to gather information about outgoing connections using an interactive protocol such as Telnet, SSH, or RSH.
- system
When you enable this feature, AAA forwards information about system events such as router reboots or the disabling of AAA accounting.
Here is an example of an exec log entry:
Fri Jan 3 11:11:40 2003 toronto ijbrown tty67 172.25.1.1 start task_id=514 start_time=1041610300 timezone=EST service=shell Fri Jan 3 11:18:47 2003 toronto ijbrown tty67 172.25.1.1 stop task_id=514 start_time=1041610300 timezone=EST service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=101 elapsed_time=427 nas-rx-speed=0 nas-tx-speed=0
These two records show that user ijbrown logged into router toronto at 11:11:40 AM on January 3rd, 2003,
and stayed connected for 427 seconds. This information is useful for
security auditing, and also can be used for billing purposes, if
required. For example, if you are using this router to provide PAD or
terminal server services to paying customers, this would be an ideal
way to gather billing information.
Here is an example of a connection log event:
Fri Jan 3 11:30:19 2003 toronto ijbrown tty67 172.25.1.1 stop task_id=522start_time=1041611404 timezone=EST service=connection protocol=telnet addr=10.2.2.2 cmd=telnet 10.2.2.2 pre-bytes-in=0 pre-bytes-out=0 pre-paks-in=0 pre-paks-out=0 bytes_in=1843 bytes_out=81 paks_in=43 paks_out=50 connect-progress=47 elapsed_time=15 nas-rx-speed=0 nas-tx-speed=0
In this record, you can see that user ijbrown initiated a Telnet session to IP
address 10.2.2.2 and terminated it
15 seconds later. And you can even see the total number of bytes and
packets both sent and received by the Telnet process.
The system event log entries look like this:
Fri Jan 3 11:35:19 2003 toronto unknown unknown unknown stop task_id=265 start_time=1041611719 timezone=EST service=system event=sys_acct reason=shutdown Fri Jan 3 11:37:35 2003 toronto unknown unknown unknown start task_id=1 timezone=EST service=system event=sys_acct reason=reload
These records show that somebody reloaded the router called
toronto at 11:35 on January 3,
2003. It came back up at 11:37, some 2 minutes later. Notice that the
system event logging did not capture information on the user who
submitted the reload command.
That information could be captured using command logging.
Actually, this points out an interesting side benefit to capturing this information on a central server. If you were just using regular system logging in the router’s log buffer, this information would be lost during the reboot. However, by storing system events on the TACACS+ server, you don’t lose anything when the router reboots. For more information regarding logging, please see Chapter 18.
Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
