CLI command logging without TACACS+

The AAA architecture of Cisco IOS contains a number of very useful features, including the ability to authorize and log every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in environments using RADIUS.

You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.
event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1
The log messages generated by this EEM applet have the following format:
%HA_EM-6-LOG: CLIaccounting: command
As the EEM uses standard IOS logging mechanisms, you can use the show logging command to examine the command execution history or store the messages on a syslog server.

Note: As a side effect, all commands executed on a router will be echoed to the router's console, unless you disable console logging with no logging console command or use TCL-based syslog filters (more about them in an upcoming post).

Recent posts in the same categories

13 comments:

  1. Anonymous 19 September 2008 07:13
    Very useful trick.
    Can you get it to include the username as well? Usually you would like to monitor who made the changes.
  2. Ivan Pepelnjak 19 September 2008 09:05
    I haven't found an easy way to do it yet. The information passed to EEM applet or Tcl policy on CLI pattern match does not include line number or username.

    If you want to log changes to running configuration, you could use configuration logging feature.
  3. Tassos 08 November 2008 02:20
    If you "accidentally" use

    event cli pattern ".*" skip yes sync no

    how do you remove it without a reload?
  4. Ivan Pepelnjak 08 November 2008 08:09
    @Tassos: There's always the power-on button :) I don't think you can gracefully recover from this situation.
  5. ExArmic 13 May 2009 10:54
    according to documentation, if you use "sync no" the "set 2.0 _exit_status 1" line can be skipped
  6. Anonymous 21 October 2009 16:09
    how to set a pattern word wich log any commands except those begining with "show".
    Thanks for help.
  7. Anonymous 24 August 2012 10:26
    EEM generated syslog messages does not show the correct local time in timestamps. Is there a way to fix this?

    Aug 24 2012 11:19:06.686: %SYS-5-CONFIG_I...
    Aug 24 08:19:09.180: %HA_EM-6-LOG: CLIaccounting...<- EEM generated
    Aug 24 2012 11:19:35.796: %PARSER-5-CFG...
    Aug 24 08:19:35.798: %HA_EM-6-LOG: CLIaccounting...<- EEM generated
  8. Tuan Hoang 12 September 2013 04:21
    I have the same question as above:

    How to make EEM generated message show correct time:

    Sep 12 02:18:39.818: %HA_EM-6-LOG: CLIaccounting: ...
    Sep 12 09:18:40.171: %SYS-5-CONFIG_I: Configured from console by...

    It shows UTC time

    Thank you
  9. Alexandr 02 September 2014 15:14
    What about this way?
    archive
    _log config
    __logging enable
    __notify syslog

    It produces logs like this:
    R1(config)#username NEW privi 15 sec PASS
    R1(config)#
    Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:username NEW privilege 15 secret *****
    Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:!config: USER TABLE MODIFIED
    R1(config)#int fa0/0
    R1(config-if)#
    Sep 2 19:10:32 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:interface FastEthernet0/0
    R1(config-if)#no sh
    R1(config-if)#
    Sep 2 19:10:35 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:no shutdown

    Timezone is processed correctly, only configuration mode commands are shown (including "do .*" commands)
  10. Anonymous 10 November 2015 13:33
    Anyone know how to do this in NX-OS? The syntax is similar but not the same:

    event manager applet CLIaccounting
    event cli match ".*"
    action 1.0 syslog priority informational msg [what can I put here?!]

    NX-OS Version 7.0(7)N1(1) doesnt seem to want to take anything like

    "$_cli_msg", $_cli_msg, $command, $_syslog_msg

    It will only take straight text.
  11. Anonymous 22 November 2015 12:04
    Has anyone tried this in tcl? Seems like it might be a better option and less risk of locking yourself out of the router if you fat finger the sync command.
  12. Anonymous 12 March 2016 02:08
    I have an older 6509 switch that is running 12.2(18)SXF12a. Do you know what version of IOS supports Archive and the rest of the commands? The Archive command is not available on this switch...
  13. Unknown 27 March 2019 12:17
    how to catch full command with extension like 'show user | include qqq'
Add comment
Home
Sidebar