CLI command logging without TACACS+
The AAA architecture of Cisco IOS contains a number of very useful features, including the ability to authorize and log every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in environments using RADIUS.
You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.
Note: As a side effect, all commands executed on a router will be echoed to the router's console, unless you disable console logging with no logging console command or use TCL-based syslog filters (more about them in an upcoming post).
You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.
event manager applet CLIaccountingThe log messages generated by this EEM applet have the following format:
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1
%HA_EM-6-LOG: CLIaccounting: commandAs the EEM uses standard IOS logging mechanisms, you can use the show logging command to examine the command execution history or store the messages on a syslog server.
Note: As a side effect, all commands executed on a router will be echoed to the router's console, unless you disable console logging with no logging console command or use TCL-based syslog filters (more about them in an upcoming post).
Can you get it to include the username as well? Usually you would like to monitor who made the changes.
If you want to log changes to running configuration, you could use configuration logging feature.
event cli pattern ".*" skip yes sync no
how do you remove it without a reload?
Thanks for help.
Aug 24 2012 11:19:06.686: %SYS-5-CONFIG_I...
Aug 24 08:19:09.180: %HA_EM-6-LOG: CLIaccounting...<- EEM generated
Aug 24 2012 11:19:35.796: %PARSER-5-CFG...
Aug 24 08:19:35.798: %HA_EM-6-LOG: CLIaccounting...<- EEM generated
How to make EEM generated message show correct time:
Sep 12 02:18:39.818: %HA_EM-6-LOG: CLIaccounting: ...
Sep 12 09:18:40.171: %SYS-5-CONFIG_I: Configured from console by...
It shows UTC time
Thank you
archive
_log config
__logging enable
__notify syslog
It produces logs like this:
R1(config)#username NEW privi 15 sec PASS
R1(config)#
Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:username NEW privilege 15 secret *****
Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:!config: USER TABLE MODIFIED
R1(config)#int fa0/0
R1(config-if)#
Sep 2 19:10:32 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:interface FastEthernet0/0
R1(config-if)#no sh
R1(config-if)#
Sep 2 19:10:35 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:no shutdown
Timezone is processed correctly, only configuration mode commands are shown (including "do .*" commands)
event manager applet CLIaccounting
event cli match ".*"
action 1.0 syslog priority informational msg [what can I put here?!]
NX-OS Version 7.0(7)N1(1) doesnt seem to want to take anything like
"$_cli_msg", $_cli_msg, $command, $_syslog_msg
It will only take straight text.