CLI command logging without TACACS+
The AAA architecture of Cisco IOS contains a number of very useful features, including the ability to authorize and log every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in environments using RADIUS.
You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.
event manager applet CLIaccountingThe log messages generated by this EEM applet have the following format:
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1
%HA_EM-6-LOG: CLIaccounting: commandAs the EEM uses standard IOS logging mechanisms, you can use the show logging command to examine the command execution history or store the messages on a syslog server.
Note: As a side effect, all commands executed on a router will be echoed to the router's console, unless you disable console logging with no logging console command or use TCL-based syslog filters (more about them in an upcoming post).
Posts
6 comments:
Very useful trick.
Can you get it to include the username as well? Usually you would like to monitor who made the changes.
I haven't found an easy way to do it yet. The information passed to EEM applet or Tcl policy on CLI pattern match does not include line number or username.
If you want to log changes to running configuration, you could use configuration logging feature.
If you "accidentally" use
event cli pattern ".*" skip yes sync no
how do you remove it without a reload?
@Tassos: There's always the power-on button :) I don't think you can gracefully recover from this situation.
according to documentation, if you use "sync no" the "set 2.0 _exit_status 1" line can be skipped
how to set a pattern word wich log any commands except those begining with "show".
Thanks for help.
This blog is using JS-Kit comments. You have to enable JavaScript if you want to post a comment.