This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How to monitor local user accounts

How is the best way to monitor for local user accounts being added, changed or deleted from Cisco IOS and Nexus switches?

Thanks,

Terry

  • taltom​,

    I would use NCM, first by downloading the Configurations and then using Policies to look for items added in my AAA block. You could also use Realtime Change Detection to do that for any change not just new local accounts. This leverages Syslog messages as a trigger to backup and compare the configuration to the previous one.

    Best Regards,

    Derik Pfeffer

    Loop1 Systems: SolarWinds Training and Professional Services

        LinkedIN: Loop1 Systems

        Facebook: Loop1 Systems

        Twitter: @Loop1Systems

  • Derik,

    I'm using NCM for some compliance reports in a similar way.  I'd like to setup a real-time alert of any user account activities that happen.  I looked into LEM for alerts on this type of activity, but didn't see a hit when I created a new local user account on a switch.  This was looking at MONITOR, Change Management, User Account Changes. It does increment when I go out of config mode, though.

  • When you perform one of those actions on your router (add, modify, delete) are you able to see the event in nDepth?

    If you are able to see the event, but the rule didn't fire then it may be logging as a slightly different event than what the rule is looking for.  For Windows you'll typically see NewDomainMember or NewGroupMember depending on what you're doing with the account, but for a router you may see something entirely different, SystemStatus or PolicyModify or even other events.

    As a result if you're using a template rule it may not match up directly.  You could add the event types to your existing rule or you could create a new rule for the events that you're seeing.

    If you're not seeing the events at all, then you will want to verify that those particular events are reaching the LEM (maybe you need to adjust the trap level, for instance), before they would be able to trigger a rule to fire.

  • Number one thing to check when you take an action in a Cisco device and don't see a related event in LEM, does your device even log that event type?  Run a show logging on the device, you'd be shocked at how little Cisco logs by default.

    Thie below doc outlines some of the categories of possible traps you could send if you don't want to crank up the syslog logging level.  I don't know off hand what level user account changes are but worst case you can set yourself up to debug, make some changes, and then review the logging to see what events you are interested in and how they show up.

    Cisco IOS SNMP Traps Supported and How to Configure Them - Cisco