Wrote up the following response below and thought I'd share it as a KB article of sorts. Still some cleanup/editing to do so bear with me
If your Cisco ASAs are not connected to an ACS server, then you'll want to look at event codes 111008 and 111010 directly from the ASA firewall, and the 'File Name' field will have the command that is run in it.
Here's the link to examine those specific events and Cisco's official description:
- username —The user making the configuration change
- application-name —The application that the user is running
- ip addr —The IP address of the management station
- cmd —The command that the user has executed
In a nutshell, you get an 111008 event for every command executed, and an 111010 for those that modify configuration. For the 111008 event, the command executed is stored in the field 'fileName'. For 111010, it's in 'destinationProcessName'
You'll also notice, both of the events start with %ASA-5-*, meaning that they're log level Notification = '5'. If your current log level is set to 1-4, then you need to configure the ASA to send these events despite not meeting the logging threshold ->ASA send syslog messages for configuration changes
logging list notif-cfg-changes message 111008-111010
logging list notif-cfg-changes level errors
logging trap notif-cfg-changes
To have these messages sent by your ASA, you will have to have your log level set to either Notification, Informational or Debug:
hostname (config)# logging trap info
If using Cisco ASDM, use the following guide to ensure you get the events: ASA 8.2: Configure Syslog using ASDM - Cisco