Command of the Day

Reply
Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

COTD: audit-trail all

By default the "show audit-trail" command will show users logging in, logging out and changes being made in config mode only. The "audit-trail all" configuration command will reveal commands when the user is in exec mode, as well:
Before "audit-trail all":

show audit-trail
Nov 10 12:18:56 fpcli: USER: arubatech has logged in from 10.1.11.76.
Nov 10 12:22:43 fpcli: USER: admin connected from 10.1.11.76 has logged out.
Nov 10 12:24:56 fpcli: USER:arubatech@10.1.11.76 COMMAND: interface gigabitethernet "1/3" -- command executed successfully
Nov 10 12:24:58 fpcli: USER:arubatech@10.1.11.76 COMMAND: interface gigabitethernet "1/3" no spanning-tree -- command executed successfully
Nov 10 12:25:10 fpcli: USER:arubatech@10.1.11.76 COMMAND: write memory -- command executed successfully
Nov 10 12:30:04 fpcli: USER: arubatech connected from 10.1.11.76 has logged out.
Nov 10 18:10:09 fpcli: USER: arubatech has logged in from 62.225.173.97.

After "audit-trail all"

show audit-trail
Nov 11 06:26:26 fpcli: USER:arubatech@62.225.173.97 COMMAND: show audit-trail -- command executed successfully
Nov 11 06:26:36 fpcli: USER:arubatech@62.225.173.97 COMMAND: write memory -- command executed successfully
Nov 11 06:26:38 fpcli: USER:arubatech@62.225.173.97 COMMAND: show audit-trail -- command executed successfully
Nov 11 06:26:55 fpcli: USER:arubatech@62.225.173.97 COMMAND: show ip interface brief -- command executed successfully
Nov 11 06:26:55 fpcli: USER:arubatech@62.225.173.97 COMMAND: show ip route -- command executed successfully


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: COTD: audit-trail all

Thanks Colin. I'll just use something to automatically pull that information each week then since it's not in a syslog.
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: COTD: audit-trail all

Hi Greg,

Are you saying you aren't seeing the audit trail in syslog? I just turned up syslog on my test controller and pointed it at 3CDaemon's syslog server, I see the following:


Oct 22 13:35:02 172.16.0.254 Oct 22 06:31:46 2009 syslogd 1.4.1: restart (remote reception).
Oct 22 13:35:02 172.16.0.254 Oct 22 06:31:46 2009 webui: USER:admin@172.16.0.251 COMMAND: -- command executed successfully
Oct 22 13:35:08 172.16.0.254 Oct 22 06:31:52 2009 webui: USER:admin@172.16.0.251 COMMAND: -- command executed successfully
Oct 22 13:36:41 172.16.0.254 Oct 22 06:33:25 2009 fpcli: USER: admin has logged in from 172.16.0.251.
Oct 22 13:38:37 172.16.0.254 Oct 22 06:35:21 2009 fpcli: USER:admin@172.16.0.251 COMMAND: -- command executed successfully
Oct 22 13:38:48 172.16.0.254 Oct 22 06:35:32 2009 fpcli: USER:admin@172.16.0.251 COMMAND: -- command executed successfully


The fpcli tag is my SSH connection, webui obviously is the web interface. You aren't seeing these in your syslog?

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: COTD: audit-trail all

Right, which log should they be showing up on? I've checked all of them through the CLI and don't see them. Currently going to syslog I have

Users - lvl 5
Security -lvl 4
wireless - lvl 4
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: COTD: audit-trail all

I didn't specify a level, I'll have to go back and test it individually if no one has the answer before I do. My logging configuration was simply:

logging 172.16.0.251


I was getting everything to the same server, but hadn't specified anything other than the default levels in my configuration. I'll try to test it out this weekend and get back to you.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: COTD: audit-trail all

It's coming out of the system logs, the entire system category is set to warning which works, I currently set this and am still seeing the logs:
logging level notifications system subcat configuration
logging 172.16.0.251


Hope that helps,
-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: COTD: audit-trail all

odd. I have set it exactly how you have yours, and here is the only thing I get:

Oct 26 08:43:20 :326091: |AP epca-wap-A1694@xxx.xxx.103.151 sapd| AM: Radio Stats: APs=3 STAs=0 Mon-APs=37 Mon-STAs=0
Oct 26 08:43:20 :326091: |AP fdc-wap-102-1@xxx.xxx.55.161 sapd| AM: Radio Stats: APs=3 STAs=0 Mon-APs=8 Mon-STAs=0
Oct 26 08:43:21 :326091: |AP epca-wap-A2826@xxx.xxx.103.154 sapd| AM: Radio Stats: APs=3 STAs=2 Mon-APs=34 Mon-STAs=2
Oct 26 08:43:24 :326091: |AP epca-wap-A1697@xxx.xxx.103.145 sapd| AM: Radio Stats: APs=3 STAs=1 Mon-APs=11 Mon-STAs=5
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: COTD: audit-trail all

Can you post any of the logging commands you see in your config? I think you increased a number of logging levels, it would be good to make sure some of them didn't accidentally get decreased or turned off.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: COTD: audit-trail all

Thanks Andy, I just decided to wipe all logging commands out on that controller and add them again. Mysteriously I can now see them. Not sure what the problem was.
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: COTD: audit-trail all

Well, at least it's fixed :)

I would guess probably somewhere in the logging commands it was suppressing the configuration commands, not sure why. If it happens again I would open up a TAC case for sure.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Search Airheads
Showing results for 
Search instead for 
Did you mean: