CLI command logging without TACACS+

The AAA architecture of Cisco IOS contains a number of very useful features, including the ability to authorize and log every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in environments using RADIUS.

You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.

event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1
The log messages generated by this EEM applet have the following format:
%HA_EM-6-LOG: CLIaccounting: command
As the EEM uses standard IOS logging mechanisms, you can use the show logging command to examine the command execution history or store the messages on a syslog server.

Note: As a side effect, all commands executed on a router will be echoed to the router's console, unless you disable console logging with no logging console command or use TCL-based syslog filters (more about them in an upcoming post).

9 comments:

  1. Very useful trick.
    Can you get it to include the username as well? Usually you would like to monitor who made the changes.

    ReplyDelete
  2. I haven't found an easy way to do it yet. The information passed to EEM applet or Tcl policy on CLI pattern match does not include line number or username.

    If you want to log changes to running configuration, you could use configuration logging feature.

    ReplyDelete
  3. If you "accidentally" use

    event cli pattern ".*" skip yes sync no

    how do you remove it without a reload?

    ReplyDelete
  4. @Tassos: There's always the power-on button :) I don't think you can gracefully recover from this situation.

    ReplyDelete
  5. according to documentation, if you use "sync no" the "set 2.0 _exit_status 1" line can be skipped

    ReplyDelete
  6. how to set a pattern word wich log any commands except those begining with "show".
    Thanks for help.

    ReplyDelete
  7. EEM generated syslog messages does not show the correct local time in timestamps. Is there a way to fix this?

    Aug 24 2012 11:19:06.686: %SYS-5-CONFIG_I...
    Aug 24 08:19:09.180: %HA_EM-6-LOG: CLIaccounting...<- EEM generated
    Aug 24 2012 11:19:35.796: %PARSER-5-CFG...
    Aug 24 08:19:35.798: %HA_EM-6-LOG: CLIaccounting...<- EEM generated

    ReplyDelete
  8. I have the same question as above:

    How to make EEM generated message show correct time:

    Sep 12 02:18:39.818: %HA_EM-6-LOG: CLIaccounting: ...
    Sep 12 09:18:40.171: %SYS-5-CONFIG_I: Configured from console by...

    It shows UTC time

    Thank you

    ReplyDelete
  9. What about this way?
    archive
    _log config
    __logging enable
    __notify syslog

    It produces logs like this:
    R1(config)#username NEW privi 15 sec PASS
    R1(config)#
    Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:username NEW privilege 15 secret *****
    Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:!config: USER TABLE MODIFIED
    R1(config)#int fa0/0
    R1(config-if)#
    Sep 2 19:10:32 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:interface FastEthernet0/0
    R1(config-if)#no sh
    R1(config-if)#
    Sep 2 19:10:35 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:no shutdown

    Timezone is processed correctly, only configuration mode commands are shown (including "do .*" commands)

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.