Cisco ISR 4000 Family Routers Administrator Guidance
Page 20 of 66
8. To generate logging messages for failed and successful login attempts in the evaluated
configuration, issue the login on-failure and login on-success commands:
TOE-common-criteria(config)#login on-failure log
TOE-common-criteria(config)#login on-success log
9. To configure the logs to be sent to a syslog server:
TOE-common-criteria(config)#logging host<ip address of syslog server>
Ex. TOE-common-criteria(config)#logging host192.168.202.169
10. To specify the severity level for logging to the syslog host, use the logging trap command.
Level 7 will send all logs required in the evaluation up to the debug level logs (as enabled
in step 3 above) to the syslog server:
TOE-common-criteria(config)# logging trap 7
WARNING: this setting has the ability to generate a large number of events that could
affect the performance of your device, network, and syslog host.
11. To configure the syslog history table use the logging history command. The severity level
are numbered 0 through 7, with 0 being the highest severity level and 7 being the lowest
severity level (that is, the lower the number, the more critical the message). Specifying a
level causes messages at that severity level and numerically lower levels to be stored in the
router's history table. To change the number of syslog messages stored in the router's
history table, use the logging history size global configuration command. The range of
messages that can be stored is 1-500. When the history table is full (that is, it contains the
maximum number of message entries specified with the logging history size command),
the oldest message entry is deleted from the table to allow the new message entry to be
stored.
TOE-common-criteria(config)# logging history <level>
TOE-common-criteria(config)# logging history size <number>
3.3.4 Usage of Embedded Event Manager
In order to ensure that all commands executed by a level 15 user are captured in a syslog record,
the following Cisco Embedded Event Manager script can be used. Enter it at the CLI as follows:
Switch(config)#event manager applet cli_log
Switch(config-applet)#event cli pattern ".*" sync yes
Switch(config-applet)#action 1.0 info type routername
Switch(config-applet)#action 2.0 if $_cli_privilege gt "0"
Switch(config-applet)#action 3.0 syslog msg "host[$_info_routername]
user[$_cli_username] port[$_cli_tty] exec_lvl[$_cli_privilege] command[$_cli_msg]
Executed"
Switch(config-applet)#action 4.0 end
Switch(config-applet)#action 5.0 set _exit_status "1"
To Next Page
Loading...
Need help?
General
