[Sagar38]

Hello everyone,

I'm having some troubles finding a guide or document on how to enable
audit in routers.

I've read the Cisco IOS System Messages Guide vol 1 & 2, for version
12.4 (which is the one I'm running on my router).
"http://www.cisco.com/en/US/products/ps6350/
products_system_message_guides_list.html"

In that guide you can find all messages with their explanation.

I turned on logging on my router correctly and I'm sending everything
to a syslog server.
The logging trap level is set to debug, so I'm also getting every
lower level.

The router is sending messages, for example, for facility codes SYS,
LINEPROTO, LINK, SSH, PARSER, SNMP and SEC.

As soon as I turned on logging I started to get SYS, LINK and
LINEPROTO messages, but to get the SEC messages I had to turn on
logging on each ACL by adding the keyword "log" or "log-input".
Something similar happens with PARSER messages (which is logging every
command run by any user). I had to configure this by running commands:
archive
log config
logging enable
logging size 200
notify syslog

I've seen somewhere that if I use AAA accounting I can get messages
even if I don't have TACACS+ server. Is that correct? Does anyone know
how can I log AAA events to the syslog?

In the "System Messages Guide" I find a lot of facility codes that I
don't get on my syslog server.

Does anyone know if there is any cisco guide that explains how to
audit everything on a router?
And I don't mean "how to enable logging", because I've done that and I
know there is a guide for that.
I want to know how to get all messages that are on the "System Message
Guide" on my syslog.

I've also read the "Cisco IOS Security Configuration Guide" and I
haven't found a clear explanation to enable "full system logging".

Thanks in advance!