First create local username/passwords.
username MMessier password RaNgErS
Next we enable AAA and tell AAA to use the local database of users.
aaa new-model
aaa authentication login default local
Next we set the VTY lines to use AAA
line vty 0 15
login authentication default
We did this so each person that logs into the router is associated with an ID.
Now we enable archive logging.
archive
log config
logging enable
logging size 500
hidekeys
Now when a user enters a command (must be a valid command) we can view it.
RTR-7206VXR#show archive log config all
idx sess user@line Logged command
1 1 MMessier@vty0 | logging enable
2 1 MMessier@vty0 | logging size 500
3 1 MMessier@vty0 | notify syslog
4 3 MMessier@vty0 | no ip domain-lookup
*Note that reboot will clear the config archive.
Reference
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtconlog.html