Solved: Re: How to get All configurations monitoring computer

wisnshaftler · ‎03-03-2019

Hello i need do this

If someone connect with my router via telnet i need to show commands ., passwords he entered in my router.

imagine this

i have cisco router and i monitor this router from my pc. Someone logged my router via telnet and make changes, I want to see whats command did he use to make changes. if he change enable password i want to show that configuration in my pc. (Using syslog snmp or any other)

Can i do that?

I try using switch between internet and my router and i config SPAN and RSPAN in switch. then using wireshark i see all configurations using packet sniff. There are any way to do that without packet sniffing my router run IOS 15.2

Thank you

Georg Pauwen · ‎03-04-2019

Hello,

in addition to the other post, there was a similar question asked a few days ago. You could do something like below:

1. enable
2. configure terminal
3. archive
4. log config
5. logging enable
6. logging size entries
7. hidekeys
8. notify syslog
9. end

Each time the configuration is changed, it will generate a syslog message similar to this:

*Mar 4 08:38:43.554: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:interface dialer 2

You could use that to run an EEM script. The show archive command will show the difference between the startup and the running config and notify you by email:

event manager applet CONFIG_CHANGE
event syslog occurs 1 pattern "%PARSER-5-CFGLOG_LOGGEDCMD:"
action 1.0 cli command "enable"
action 2.0 cli command "show archive config differences nvram:startup-config system:running-config"
action 3.0 mail to "user@company.com" from "user@company.com" server "x.x.x.x" subject "User added:" body "$_cli_result"

View solution in original post

balaji.bandi · ‎03-03-2019

If you AAA in place, you can able to log all the command user issued on the devices. (is this something you looking ?)

start with :

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfaaa.html

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrad.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎03-04-2019

Hello,

in addition to the other post, there was a similar question asked a few days ago. You could do something like below:

1. enable
2. configure terminal
3. archive
4. log config
5. logging enable
6. logging size entries
7. hidekeys
8. notify syslog
9. end

Each time the configuration is changed, it will generate a syslog message similar to this:

*Mar 4 08:38:43.554: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:interface dialer 2

You could use that to run an EEM script. The show archive command will show the difference between the startup and the running config and notify you by email:

event manager applet CONFIG_CHANGE
event syslog occurs 1 pattern "%PARSER-5-CFGLOG_LOGGEDCMD:"
action 1.0 cli command "enable"
action 2.0 cli command "show archive config differences nvram:startup-config system:running-config"
action 3.0 mail to "user@company.com" from "user@company.com" server "x.x.x.x" subject "User added:" body "$_cli_result"

wisnshaftler · ‎03-04-2019

Thank you very much this is awesome!!!!!

but why password show star in syslog server :( can we show this password readable ?

03-04-2019 14:30:08 Local7.Notice 192.168.1.200 59: 0.0.0.0: *Mar 4 14:30:07.195: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:enable password *****

Georg Pauwen · ‎03-04-2019

Hello,

that is what 'hidekeys' does, it hides the passwords. If you want to see the passwords, follow the sequence above and type 'no hidekeys'...

How to get All configurations to monitoring computer