Does ASA have feature to record who /when made change on configuration/NVRAM like router ?

Hi Anyone knows if ASA have the feature to record who /when made change on configuration/NVRAM like router ? Thank you
eemoonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
cisco routers and ASA doesn't have a capability to record the list of changes been made on the device.

It can display in the logs saying that " there was a change been done on the device" ...

IF you need each and every command to be captured, then you have to have have TACACS in the network and enable AAA on both ASA and routers.
0
eemoonAuthor Commented:
Thank you so much for your fast reply.
Sorry that I did not make it clear in the question above. Router has the feature which can record who is last person to made the change on running-config and startup-config when using command-- show running-config. but I have not seen ASA has this feature yet.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Got it..i believe this command on ASA  "logging console notifications" will help you to find the last configuration changes.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

eemoonAuthor Commented:
Thank you so much. I think you are right. I will test it and get back it here.

Here is what i want to see in ASA like router:

R3#sh run
Building configuration...

Current configuration : 1076 bytes
!
! Last configuration change at 02:19:36 UTC Fri Mar 1 2002 by test
! NVRAM config last updated at 02:19:33 UTC Fri Mar 1 2002 by test
!
0
arnoldCommented:
Do you have multiple logins as pointed out using radius authentication to allow access into the ASA?
If you have a shared login, it is more difficult.  Syslog logging as apwas pointed out could help identify when someone logs in and when a change was made.

There are schemes to manage configs while maintaining versions and changes.
0
Jan SpringerCommented:
If you have logging configured, configuration changes and the commands will be logged and identify the account.  I log all ASAs to a syslog server.  It's important that everyone use their own respective log in and not use a shared account (except as backup).
0
eemoonAuthor Commented:
Thank you for your reply. It looks like that ASA itself does not have feature to show last person changing configuration in the output of show running-config like router, right ?
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Yep. ASA don't have default option to show the details like router
0
eemoonAuthor Commented:
Got it..i believe this command on ASA  "logging console notifications" will help you to find the last configuration changes.

 "logging console notifications" can have us know the change ? I used it, and it did not show something special. Maybe I did not used it correctly.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Yes..

You can apply this command to store the logs in your ASA.  if you can post the current ASA logging config, i can suggest the proposed config

Can you get the below command output from your ASA

#sh run | i log
0
eemoonAuthor Commented:
Thank you.
Here is what I did:

ASA3(config)# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           23.1.1.3        YES CONFIG up                    up  
GigabitEthernet1           192.168.1.3     YES CONFIG up                    up  
GigabitEthernet2           unassigned      YES unset  administratively down up  

ASA3(config)# int g2
ASA3(config-if)# no sh
ASA3(config-if)#
ASA3(config-if)#
ASA3(config-if)# sh run | i log
logging console notifications
ASA3(config-if)#
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
In addition to the above config, Please apply the below commands as well.

logging enable
logging timestamp
logging buffered notifications

Once you applied, you can verify the logging status

#sh logging
0
eemoonAuthor Commented:
logging enable
logging timestamp
logging buffered notifications

The three commands above are necessary for show log. Why isnt logging console notifications necessary if we use show logging ?
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
The below commands explanations

logging enable  ==> Enable logging on the ASA device
logging timestamp  ==> This will help to store the logs with exact time.
logging buffered notifications ==> This will help to store the logs in ASA memory

logging console notifications ==> This will display the logs on the console session..its optional if you have enabled the above 3 lines

Thanks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eemoonAuthor Commented:
Very good. so ASA itself have this kind function after adding these commands, but it cannot show username who change config, right ?
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Once you applied those commands , you can see the username of the ASA in the log
0
eemoonAuthor Commented:
Thank you so much for your excellent explanation!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.