11-05-2010 07:34 AM - edited 03-04-2019 10:23 AM
Hi everyone,
I have a router which has recently begin generating many PARSER-5-CFGLOG_LOGGEDCMD log messages. It used to happen once a week or so, but now it is repeating throughout the day, every day.
The messages come through looking like this:
Nov 5 09:03:25 Revenant 69217: Nov 5 2010 08:03:24.978 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:ip access-list extended Virtual-Access2.44#5625601
Nov 5 09:03:25 Revenant 69218: Nov 5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit tcp any any established
Nov 5 09:03:25 Revenant 69219: Nov 5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit ip any <obfuscated netblock>
Nov 5 09:03:25 Revenant 69220: Nov 5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:deny tcp any any eq 25
Nov 5 09:03:25 Revenant 69221: Nov 5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit ip any any
Nov 5 09:16:58 Revenant 69222: Nov 5 2010 08:16:57.831 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no ip access-list extended Virtual-Access2.44#5625601
I have read in other places that this is normal for when a router reboots. But my router is not rebooting. So I am wondering if something is going wrong.
Some info about the router is:
Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.
Processor board ID 23664897
R7000 CPU at 350MHz, Implementation 39, Rev 3.2, 256KB L2 Cache
6 slot VXR midplane, Version 2.9
Cisco IOS Software, 7200 Software (C7200-JK9S-M), Version 12.4(8)
ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2)
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.1(8a)E, EARLY DEPLOYMENT RELE ASE SOFTWARE (fc1)
Revenant uptime is 1 year, 28 weeks, 1 day, 14 hours, 34 minutes
System returned to ROM by power-on
System restarted at 18:46:02 EST Tue Apr 21 2009
System image file is "disk0:c7200-jk9s-mz.124-8.bin"
If anyone has any input or experience with this, it would be much appreciated.
11-05-2010 08:39 AM
Config messages configuring crypto maps with a name of NiStTeSt1 are normal when booting.
The messages logged here are not the same. Based on the name of the ACL I suspect a user is logging into the device and this per user ACL is being applied to the user.
08-07-2012 05:49 AM
I'm researching the same type of question. I see a lot of routers log changes made by a username called "console". These logged changes reflect what you say about the crypto map "NiStTeSt1". You say this is normal. Then you go on to say that in this particular instance it a user logged in and made these changes.
So, are you saying someone logged into this router via a serail, telnet, or ssh session and made these changes? That doesn't make any sense. When a user logs into a any cisco network device that supports these plain text logging commands, their changes are logged as the username they used to log into the device (not some generic username like "console").
Now, if "console" is a cisco system user account of some sort then I might go along with that. But that is an explanation that I have yet to hear.
Here is an example of what I see when I reload a router (not connected to any network), connect via serial cable using my own local account "ELONAZAZIAH", and configure a traffic capture profile. I am the only user logged into this router and you can plainly see the difference.
I'm sure there is a logical explanation for this. I would just like to know what it is.
000014: *Jul 31 2012 18:46:42.443 UTC: %SYS-5-CONFIG_I: Configured from memory by console
000015: *Jul 31 2012 18:46:42.643 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
000016: *Jul 31 2012 18:46:42.647 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:crypto map NiStTeSt1 10 ipsec-manual
000017: *Jul 31 2012 18:46:42.647 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:match address 199
000018: *Jul 31 2012 18:46:42.647 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:set peer 20.20.20.20
000019: *Jul 31 2012 18:46:42.647 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:exit
000020: *Jul 31 2012 18:46:42.651 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to down
000021: *Jul 31 2012 18:46:42.651 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3, changed state to down
000022: *Jul 31 2012 18:46:42.659 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no access-list 199
000023: *Jul 31 2012 18:46:42.663 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no crypto map NiStTeSt1
000024: *Jul 31 2012 18:46:45.283 UTC: %LINK-5-CHANGED: Interface FastEthernet2, changed state to administratively down
000025: *Jul 31 2012 18:46:45.283 UTC: %LINK-5-CHANGED: Interface FastEthernet3, changed state to administratively down
000026: *Jul 31 2012 18:46:45.283 UTC: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
000027: *Jul 31 2012 18:46:45.283 UTC: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
000028: *Jul 31 2012 18:46:45.283 UTC: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up
000029: *Jul 31 2012 18:46:45.287 UTC: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 16-Nov-10 04:53 by prod_rel_team
000030: *Jul 31 2012 18:46:45.307 UTC: %SSH-5-ENABLED: SSH 2.0 has been enabled
000035: *Jul 31 2012 18:46:46.287 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down
000036: *Jul 31 2012 18:46:46.287 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down
000037: *Jul 31 2012 18:46:46.287 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
000038: *Jul 31 2012 18:46:46.287 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down
000040: *Jul 31 2012 18:47:39.695 UTC: %LINK-3-UPDOWN: Interface ATM0, changed state to up
000041: *Jul 31 2012 18:47:40.695 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to up
000043: *Jul 31 2012 18:47:50.123 UTC: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
000044: *Jul 31 2012 18:47:51.183 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
000045: *Jul 31 2012 18:47:52.039 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4, changed state to up
000046: *Jul 31 2012 18:47:52.039 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
000047: *Jul 31 2012 18:49:15.323 UTC: %AAA-3-DROPACCTFAIL: Accounting record dropped, send to server failed: system
000048: *Jul 31 2012 18:49:15.323 UTC: %SNMP-5-COLDSTART: SNMP agent on host ECT-AR-0-887-136 is undergoing a cold start
000049: *Jul 31 2012 20:00:05.667 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:!exec: enable
000050: *Aug 1 2012 18:15:31.010 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:!exec: enable
000051: *Aug 1 2012 18:16:23.218 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:logging console
000052: *Aug 1 2012 18:16:46.390 UTC: %SYS-5-CONFIG_I: Configured from console by ELONAZAZIAH on console
000053: *Aug 1 2012 20:42:04.425 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:!exec: enable
000054: *Aug 1 2012 20:43:12.021 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:ip traffic-export profile PCAP mode capture
000055: *Aug 1 2012 20:43:17.337 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:length 512
000056: *Aug 1 2012 20:43:24.989 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:bidirectional
000057: *Aug 1 2012 20:43:27.293 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:exit
000058: *Aug 1 2012 20:43:36.421 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:interface Vlan2
000059: *Aug 1 2012 20:45:32.049 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:ip traffic-export apply PCAP size 10000000
000060: *Aug 1 2012 20:45:36.605 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH logged command:exit
08-07-2012 05:52 AM
Oh one more thing....
The 20.20.20.20 address this router (and every router I've seen do this) is configuring as a peer address belongs to the Computre Sciences Corporation.
http://www.iptools.com/dnstools.php?tool=ipwhois&user_data=20.20.20.20
11-05-2010 09:32 AM
Hello Jonathan,
the message which are shown are indeed caused by a user making a configuration change through console.
If you do not want to see these messages, you can disable this feature. The commands to do this are:
conf t
archive
log config
no notify syslog
This will stop these messages when configuration changes are being made. They will still be available through 'show archive log config all'.
HTH,
Bert
08-07-2012 05:54 AM
The question is not how to hide the messages. The question is what causes the messages.
I want the plain text logging turned on because I want to know whow is making changes on my routers.
Again, I'm open to the possibility that the username "console" is a legitimate user that is programmed into the image. But I'm starting to think that only a programmer can answer that.
If it is a legitimate user then I want to know it?
If it is not a legitimate user then where did it come from?
I'm leaning towards it being legitimate. Especially since it happens the same way for me on multiple routers that are not connected to any network. I am consoled in with my own local account when it happens and I am the only user showing logged in.
But why is it always trying to form a VPN tunnel with a peer address that belongs to the Computer Sciences Corporation??
I also notice that the "console" user removes the crypto map and acl in the very same second that it creates it. This further assures me that this is something that was programmed by whomever created the image (I hope). It was programmed by something or someone for sure.
I was hoping someone might have an explanation.
Thanks,
Chris
10-12-2012 05:15 AM
Hello,
I have this king of message. The origine is a injection command via Radius, for exemple :
Oct 3 2012 23:21:48.258 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:default ip ospf message-digest-key 1
Oct 3 2012 23:21:48.258 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:default ip ospf 59 area 1
Oct 3 2012 23:21:48.258 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:default ip address 1.59.100.162 255.255.255.240
Oct 3 2012 23:21:48.258 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:default routing dynamic
Oct 3 2012 23:21:48.262 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:default ip vrf forwarding
Oct 3 2012 23:21:48.266 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:default logging event link-status
10-12-2012 06:58 AM
I believe this has to do with the archive command on the router:
R1#sh archive log config all
idx sess user@line Logged command
1 1 console@console | logging enable
2 1 console@console | logging size 1000
3 1 console@console | exit
4 1 console@console | exit
5 2 console@console |interface FastEthernet0/0
6 2 console@console | ip address 192.168.1.1 255.255.255.0
7 2 console@console | no shutdown
8 2 console@console | exit
9 3 console@console |archive
10 3 console@console | log config
11 3 console@console | record rc
12 3 console@console | exit
13 3 console@console | exit
14 4 console@console |archive
It's due to the "notify syslog" command listed under the archive/logging configuration in the router. If you remove "notify syslog" you'll no longer get the message.
HTH,
John
11-16-2012 02:01 PM
Hi,
Still waiting for a satisfactory explanation, why those commands are been executed automatically with the user name CONSOLE.
Is it a bug in the IOS..?? Expecting an answer from the CISCO Experts at the earliest.
Thanks,
Rag.
01-24-2019 10:00 AM
Did you ever got an answer to this question?
Why will console issue obvious commands on the router? In my case i have
227 0 console@console |interface Serial1/0/0:23
228 0 console@console | shutdown
229 0 console@console |interface Serial1/0/0:23
230 0 console@console | no isdn bind-l3 ccm-manager
231 0 console@console |interface Serial1/0/0:23
232 0 console@console | no shutdown
233 0 console@console |interface Serial1/0/0:23
234 0 console@console | shutdown
235 0 console@console |interface Serial1/0/0:23
236 0 console@console | isdn bind-l3 ccm-manager
237 0 console@console |interface Serial1/0/0:23
238 0 console@console | no shutdown
241 0 console@console |interface Serial1/0/0:23
242 0 console@console | shutdown
243 0 console@console |interface Serial1/0/0:23
244 0 console@console | no isdn bind-l3 ccm-manager
245 0 console@console |interface Serial1/0/0:23
246 0 console@console | no shutdown
247 0 console@console |interface Serial1/0/0:23
idx sess user@line Logged command
248 0 console@console | shutdown
249 0 console@console |interface Serial1/0/0:23
250 0 console@console | isdn bind-l3 ccm-manager
251 0 console@console |interface Serial1/0/0:23
252 0 console@console | no shutdown
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide