Thanks to John and Daniel...<br><br><br>Daniel - you're right on the money. I did have ping defined as a priv-lvl 3 command on the router.<br><br>privilege exec level 3 ping ip<br>privilege exec level 3 ping<br><br>Note that if I do not configure "privilege exec level 3 ping ip" it appears as a priv-lvl1 command.<br>
<br>Thu Dec 3 09:12:08 2009 203.17.101.x hdtest tty3 210.15.210.y stop task_id=108 timezone=AEDT service=shell start_time=1259791962priv-lvl=1 cmd=ping 210.15.254.x <cr><br><br>Same deal with traceroute. If you want to see the traceroute appear as something other than a priv-lvl1 command, you need both traceroute and traceroute ip configured.<br>
<br>Therefore, I will withdraw everything said about the caveats in my earlier post, however, but be aware that Cisco does place their ping command in different privilege levels depending on the IOS and/or hardware platform you're running. For example on 124-24.T1 and 122-31.SB14, ping defaults to a priv-lvl 1 command but on the newer ASR which we're running 122-33.XNB3, I have to enable into a higher privilege level to run the ping command (it does not default to a priv-lvl1 command).<br>
<br>Cheers.<br><br>Andy<br><br><div class="gmail_quote">On Thu, Dec 3, 2009 at 2:48 AM, Schmidt, Daniel <span dir="ltr"><<a href="mailto:dan.schmidt@uplinkdata.com">dan.schmidt@uplinkdata.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
That should not be, Cisco only uses 0,1 and 15 by default. You have not<br>
done any privilege exec level commands?<br>
<div><div></div><div class="h5"><br>
-----Original Message-----<br>
From: <a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a><br>
[mailto:<a href="mailto:tac_plus-bounces@shrubbery.net">tac_plus-bounces@shrubbery.net</a>] On Behalf Of Andy Saykao<br>
Sent: Tuesday, December 01, 2009 8:13 PM<br>
To: john heasley<br>
Cc: <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
Subject: [tac_plus] Re: Can you log ping and traceroute commands?<br>
<br>
Hi All,<br>
<br>
Turns out IOS wasn't broken after all. It appears that IOS sees a ping<br>
command as a priv-lvl 3 command and I didn't have priv-lvl 3 configured<br>
for<br>
accounting.<br>
<br>
aaa accounting commands 3 default start-stop group tacacs+<br>
<br>
A 'debug aaa accounting' helped me figure out that ping command is a<br>
priv-lvl 3 command.<br>
<br>
Dec 2 13:56:29 AEDT: AAA/MEMORY: create_user (0x66146308) user='user1'<br>
ruser='myrouter' ds0=0 port='tty2' rem_addr='210.15.210.x'<br>
authen_type=ASCII<br>
service=NONE priv=3 initial_task_id='0', vrf= (id=0)<br>
<br>
Once I added priv-lvl 3 commands to aaa accounting, it showed up in the<br>
logs<br>
now.<br>
<br>
Wed Dec 2 13:55:58 2009 203.17.101.y user1 tty2<br>
210.15.210.x<br>
stop task_id=42 timezone=AEDT service=shell<br>
start_time=1259722589 priv-lvl=3 cmd=ping 210.15.254.x <cr><br>
<br>
Just a caveat with this, ping is priv-lvl3 on the two IOS I tested, but<br>
traceroute showed up as priv-lvl3 using 122-31.SB13 and privi-lvl15<br>
using<br>
124-24.T1. That's Cisco for you with their priv-lvl's...<br>
<br>
Glad to finally get to the bottom of this.<br>
<br>
Cheers.<br>
<br>
Andy<br>
<br>
On Fri, Nov 27, 2009 at 5:19 PM, john heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>><br>
wrote:<br>
<br>
> Thu, Nov 26, 2009 at 11:45:07AM +1100, Andy Saykao:<br>
> > Hi All,<br>
> ><br>
> > I've set up a hdtest user that can run privilege commands by using<br>
> > privilege-level 3 and going into "enable 3". Whilst the user can run<br>
the<br>
> > privilege commands like ping and traceroute, I am not seeing these<br>
> commands<br>
> > appear in the accounting logs for this user.<br>
> ><br>
> > It looks like the command 'ping' does not appear anywhere in the log<br>
even<br>
> > when I use a privilege-level 15 user, so I can only assume that this<br>
is<br>
> the<br>
> > desired behaviour. But with traceroute, I see it appearing in the<br>
logs<br>
> for a<br>
> > privilege-level 15 user but not for a privilege-level 3 user? Any<br>
ideas<br>
> why<br>
> > this is so or how to see it in the log for a privilege-level 3 user?<br>
><br>
> that'd seem a clear indication that your ios is broken.<br>
><br>
</div></div>-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL:<br>
<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/14625dd%0A5/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/14625dd<br>
5/attachment.html</a><br>
<div><div></div><div class="h5">_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</div></div></blockquote></div><br>