Logging System Events
Problem
You want to log various system events.
Solution
AAA Accounting includes the ability to log a variety of system events, including timestamps, along with associated usernames:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa accounting exec default start-stop group tacacs+
Router1(config)#aaa accounting connection default start-stop group tacacs+
Router1(config)#aaa accounting system default stop-only group tacacs+
Router1(config)#end
Router1#
Discussion
In addition to capturing keystroke logs, AAA accounting can gather other useful pieces of information, such as exec, connection, and system events:
exec
-
This feature captures and timestamps the beginning and ending of a user's Exec session on the router.
connection
-
This allows you to gather information about outgoing connections using an interactive protocol such as Telnet, SSH, or RSH.
system
-
When you enable this feature, AAA forwards information about system events such as router reboots or the disabling of AAA accounting.
Here is an example of an exec log entry:
Fri Jan 3 11:11:40 2003 toronto ijbrown tty67 172.25.1.1 start task_id=514 start_time=1041610300 timezone=EST service=shell
Fri Jan 3 11:18:47 2003 toronto ijbrown tty67 172.25.1.1 stop task_id=514 start_time=1041610300 timezone=EST service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=101 elapsed_time=427 nas-rx-speed=0 nas-tx-speed=0
These two records show that user ijbrown logged into router toronto at 11:11:40 AM on January 3rd, 2003, and stayed connected for 427 seconds. This information is useful for security auditing, and also can be used for billing purposes, if required. For example, if you are using this router to provide PAD or terminal server services to paying customers, this would be an ideal way to gather billing information.
Here is an example of a connection log event:
Fri Jan 3 11:30:19 2003 toronto ijbrown tty67 172.25.1.1 stop task_id=522start_time=1041611404 timezone=EST service=connection protocol=telnet addr=10.2.2.2 cmd=telnet 10.2.2.2 pre-bytes-in=0 pre-bytes-out=0 pre-paks-in=0 pre-paks-out=0 bytes_in=1843 bytes_out=81 paks_in=43 paks_out=50 connect-progress=47 elapsed_time=15 nas-rx-speed=0 nas-tx-speed=0
In this record, you can see that user ijbrown initiated a Telnet session to IP address 10.2.2.2 and terminated it 15 seconds later. And you can even see the total number of bytes and packets both sent and received by the Telnet process.
The system event log entries look like this:
Fri Jan 3 11:35:19 2003 toronto unknown unknown unknown stop task_id=265 start_time=1041611719 timezone=EST service=system event=sys_acct reason=shutdown
Fri Jan 3 11:37:35 2003 toronto unknown unknown unknown start task_id=1 timezone=EST service=system event=sys_acct reason=reload
These records show that somebody reloaded the router called toronto at 11:35 on January 3, 2003. It came back up at 11:37, some 2 minutes later. Notice that the system event logging did not capture information on the user who submitted the reload command. That information could be captured using command logging.
Actually, this points out an interesting side benefit to capturing this information on a central server. If you were just using regular system logging in the router's log buffer, this information would be lost during the reboot. However, by storing system events on the TACACS+ server, you don't lose anything when the router reboots. For more information regarding logging, please see Chapter 18.