You want to log various system events.
AAA accounting includes the ability to log a variety of system events, including timestamps along with associated usernames:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-model Router1(config)#aaa accounting exec default start-stop group tacacs+ Router1(config)#aaa accounting connection default start-stop group tacacs+ Router1(config)#aaa accounting system default stop-only group tacacs+ Router1(config)#end Router1#
In addition to capturing keystroke logs, AAA accounting can gather other useful pieces of information such as EXEC, connection, and system events.
This feature captures and timestamps the beginning and ending of a user's EXEC session on the router.
This feature allows you to gather information about outgoing connections using an interactive protocol such as Telnet, SSH, or RSH.
When you enable this feature, AAA forwards information about system events such as router reboots or the disabling of AAA accounting.
Here is an example of an EXEC log entry:
Fri Jan 3 11:11:40 2003 toronto ijbrown tty67 172.25.1.1 start task_id=514 start_time=1041610300 timezone=EST service=shell Fri Jan 3 11:18:47 2003 toronto ijbrown tty67 172.25.1.1 stop task_id=514 start_time=1041610300 timezone=EST service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=101 elapsed_time=427 nas-rx-speed=0 nas-tx-speed=0
These two records show that user ijbrown logged into router toronto at 11:11:40 AM on January 3, 2003, and stayed connected for 427 seconds. This information is useful for security auditing, and also can be used for billing purposes if required. For example, if you are using this router to provide PAD or terminal server services to paying customers, this is an ideal way to gather billing information.
Here is an example of a connection log event:
Fri Jan 3 11:30:19 2003 toronto ijbrown tty67 172.25.1.1 stop task_id=522start_time=1041611404 timezone=EST service=connection protocol=telnet addr=10.2.2.2 cmd=telnet 10.2.2.2 pre-bytes-in=0 pre-bytes-out=0 pre-paks-in=0 pre-paks-out=0 bytes_in=1843 bytes_out=81 paks_in=43 paks_out=50 connect-progress=47 elapsed_time=15 nas-rx-speed=0 nas-tx-speed=0
In this record you can see that user ijbrown initiated a Telnet session to IP address 10.2.2.2, and terminated it 15 seconds later. You can even see the total number of bytes and packets both sent and received by the Telnet process.
The system event log entries look like this:
Fri Jan 3 11:35:19 2003 toronto unknown unknown unknown stop task_id=265 start_time=1041611719 timezone=EST service=system event=sys_acct reason=shutdown Fri Jan 3 11:37:35 2003 toronto unknown unknown unknown start task_id=1 timezone=EST service=system event=sys_acct reason=reload
These records show that somebody reloaded the router called toronto at 11:35 on January 3, 2003. It came back up at 11:37 some two minutes later. Notice that the system event logging did not capture information on the user who submitted the reload command. That information could be captured using command logging.
Actually, this points out an interesting side benefit to capturing this information on a central server. If you were just using regular system logging in the router's log buffer, this information would be lost during the reboot. However, by storing system events on the TACACS+ server, you don't lose anything when the router reboots.
 |
|
|
| Top |