CLI command logging without TACACS+

The AAA architecture of Cisco IOS contains a number of very useful features, including the ability to authorize and log every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in environments using RADIUS.

You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.

event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1
The log messages generated by this EEM applet have the following format:
%HA_EM-6-LOG: CLIaccounting: command
As the EEM uses standard IOS logging mechanisms, you can use the show logging command to examine the command execution history or store the messages on a syslog server.

Note: As a side effect, all commands executed on a router will be echoed to the router's console, unless you disable console logging with no logging console command or use TCL-based syslog filters (more about them in an upcoming post).


  1. Very useful trick.
    Can you get it to include the username as well? Usually you would like to monitor who made the changes.

  2. I haven't found an easy way to do it yet. The information passed to EEM applet or Tcl policy on CLI pattern match does not include line number or username.

    If you want to log changes to running configuration, you could use configuration logging feature.

  3. If you "accidentally" use

    event cli pattern ".*" skip yes sync no

    how do you remove it without a reload?

  4. @Tassos: There's always the power-on button :) I don't think you can gracefully recover from this situation.

  5. according to documentation, if you use "sync no" the "set 2.0 _exit_status 1" line can be skipped

  6. how to set a pattern word wich log any commands except those begining with "show".
    Thanks for help.

  7. EEM generated syslog messages does not show the correct local time in timestamps. Is there a way to fix this?

    Aug 24 2012 11:19:06.686: %SYS-5-CONFIG_I...
    Aug 24 08:19:09.180: %HA_EM-6-LOG: CLIaccounting...<- EEM generated
    Aug 24 2012 11:19:35.796: %PARSER-5-CFG...
    Aug 24 08:19:35.798: %HA_EM-6-LOG: CLIaccounting...<- EEM generated

  8. I have the same question as above:

    How to make EEM generated message show correct time:

    Sep 12 02:18:39.818: %HA_EM-6-LOG: CLIaccounting: ...
    Sep 12 09:18:40.171: %SYS-5-CONFIG_I: Configured from console by...

    It shows UTC time

    Thank you

  9. What about this way?
    _log config
    __logging enable
    __notify syslog

    It produces logs like this:
    R1(config)#username NEW privi 15 sec PASS
    Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:username NEW privilege 15 secret *****
    Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:!config: USER TABLE MODIFIED
    R1(config)#int fa0/0
    Sep 2 19:10:32 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:interface FastEthernet0/0
    R1(config-if)#no sh
    Sep 2 19:10:35 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:no shutdown

    Timezone is processed correctly, only configuration mode commands are shown (including "do .*" commands)

  10. Anyone know how to do this in NX-OS? The syntax is similar but not the same:

    event manager applet CLIaccounting
    event cli match ".*"
    action 1.0 syslog priority informational msg [what can I put here?!]

    NX-OS Version 7.0(7)N1(1) doesnt seem to want to take anything like

    "$_cli_msg", $_cli_msg, $command, $_syslog_msg

    It will only take straight text.

  11. Has anyone tried this in tcl? Seems like it might be a better option and less risk of locking yourself out of the router if you fat finger the sync command.


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.