05-06-2008 08:32 PM - edited 03-03-2019 09:50 PM
on a router what specific command that i can see the activities (e.g. config changes, parameter , etc.) that a user did on the device? Also, if a user just log on user mode will the device still log his/her activities?
05-06-2008 09:31 PM
This is what you need, use Configuration Change Notification and Logging, IOS feature introduced in version 12.3(4)T
HTH
-Jorge
05-06-2008 09:53 PM
Thanks, is show log alone can trace what are the activities a user did on a device? what happened is that my colleagues saying that I did a save command on a router which honestly didnt do. I look at the router's log using sh log command but didnt find anything. I just want to know how he were able to say that i do save command that equals to a change.
05-07-2008 12:42 PM
Oliver, bellow is an example of what is recorded in router, any command entered that have changed or altered the router's configuiration is saved in archive in router if you choose to do so when configuring this feature , configuration entered in router is also relay to my syslog server, since I am the only network person I do not need ACS nor local AAA , so this is why in the output bellow you see user "unknown" .
in config mode you simply need the bellow statements.
archive
log config
logging enable
logging size 50
notify syslog
hidekeys
you may also do a question mark to see other sub-commands features
Router(config)#Archive
Router(config-archive)# ?
you may want to also add in config mode:
login on-failure log
login on-success log
.May 4 20:32:06 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
.May 4 20:37:02 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
.May 4 20:38:09 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:ip route 10.1.253.21 255.255.255.255
6x.xx.xx.117 name DR_TEMP_LB0_IP
.May 4 20:38:12 UTC: %SYS-5-CONFIG_I: Configured from console by vty0 (10.168.100.xx)
.May 4 20:39:03 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
.May 4 20:40:12 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no ip route 10.1.253.21 255.255.255.
255 6x.xxx.xxx.xxx name DR_TEMP_LB0_IP
.May 4 20:40:16 UTC: %SYS-5-CONFIG_I: Configured from console by vty0 (10.168.100.xx)
May 4 20:51:17 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
May 4 20:51:53 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:ip route 10.1.253.21 255.255.255.255
10.7.1.x name DR_TEMP_LB0_IP
May 4 20:53:11 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no ip route 10.1.253.21 255.255.255.2
55 10.7.1.x name DR_TEMP_LB0_IP
May 4 20:55:02 UTC: %SYS-5-CONFIG_I: Configured from console by vty0 (10.168.100.xx)
HTH
-Jorge
PLS rate any helpful post if it helped
05-07-2008 01:29 PM
Jorge,
Excellent post !
Is there any impact at all on the CPU. I think not, since its a simple login, but since IO have never tested this I have to ask.
I use TACACS for loggin users activities, but when 3rd party are on a box, it woudl be nice to see straight away what is being done.
Thanks
Sam
05-07-2008 02:59 PM
Hi Sam, not realy impact on CPU at all, this minimal messaging syslog information, this is only when authorize user or users are logged in to router and at least you can know what was chnaged, but no much proccessing involved on CPU.
I used tacacs long time ago in another job , I loved it, but this feature is great as well , Im sure you can have it in addition with TACACS, it is great, I use Kiwi Cattools to back up routers config and I always noticed even when CatTools access the router to backup the config.
Bst Rgds
Jorge
09-23-2022 12:14 AM
Hi
Just wanted to know what is the meaning of "unknown user" as you told its not TACACS or local user.. Then what type of accessing method you are using. We have ISE configured in our network and getting the message "User:unknown user logged command:!exec: enable" in syslog. What does it mean?
05-07-2008 02:07 AM
if you have an ACS server, you could use the accounting function it offers to log administrators commands.
you need to add some commands in rtr:
aaa new-model
aaa accounting commands 1 sabbeb1 start-stop group tacacs+
aaa accounting commands 15 sabbeb2 start-stop group tacacs+
!
tacacs-server host 10.111.100.2 key kilmitissir
!
line vty 0 4
accounting commands 1 sabbeb1
accounting commands 15 sabbeb2
and to configure ACS server properly
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide