Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2371
Views
10
Helpful
6
Replies

Tracking user creation events on a switch

Go to solution
Vic48
Level 1
Level 1

‎02-25-2019 10:13 PM

Can EEM be used to track user creation on a switch?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Vic48

‎02-26-2019 02:04 AM

yes the archiving will provide that , anything that's created in general config and who was logged in

as per the doc link i provided below

For each configuration command that is executed, the following information will be logged:

• The command that was executed
• The configuration mode in which the command was executed
• The name of the user that executed the command
• The time at which the command was executed
• A configuration change sequence number
• Parser return codes for the command

Here is a sample of how you configure it:

Router(config)# archive
Router(config-archive)# log config (enters config logging mode)
Router(config-archive-log-config)# logging enable (turns on running config change logging)
Router(config-archive-log-config)# logging size 500 (remembers the last 500 commands entered – 100 are default)
Router(config-archive-log-config)# hidekeys (hides passwords from being shown / logged)
Router(config-archive-log-config)# notify syslog (optional – exports changes to syslog server)

View solution in original post

6 Replies 6

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎02-26-2019 12:58 AM

Hi
What do you mean by user creation ? you can track what users have ran and what commands they have invoked through archive commands
you could also do it through EEM but archive is easier

https://itknowledgeexchange.techtarget.com/cisco/tracking-configuration-changes-with-the-cisco-ios-built-in-using-the-archive-command/
0 Helpful

Go to solution
Vic48
Level 1
Level 1
In response to Mark Malone

‎02-26-2019 01:31 AM

An example would be when the command below is entered to create a user:

gss1.example.com(config)# username user_1 password newpwd

I would like to have logging log that a user User 1 has been created.

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Vic48

‎02-26-2019 02:04 AM

yes the archiving will provide that , anything that's created in general config and who was logged in

as per the doc link i provided below

For each configuration command that is executed, the following information will be logged:

• The command that was executed
• The configuration mode in which the command was executed
• The name of the user that executed the command
• The time at which the command was executed
• A configuration change sequence number
• Parser return codes for the command

Here is a sample of how you configure it:

Router(config)# archive
Router(config-archive)# log config (enters config logging mode)
Router(config-archive-log-config)# logging enable (turns on running config change logging)
Router(config-archive-log-config)# logging size 500 (remembers the last 500 commands entered – 100 are default)
Router(config-archive-log-config)# hidekeys (hides passwords from being shown / logged)
Router(config-archive-log-config)# notify syslog (optional – exports changes to syslog server)

Go to solution
Vic48
Level 1
Level 1
In response to Mark Malone

‎02-26-2019 03:52 AM

Very good stuff. Thanks!

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎02-26-2019 02:29 AM

Hello,

 

on a side note, you could compare the running to the startup config and have EEM notify you with an email displaying the username that has been added. It kind of builds on what Mark posted. If you enable the archving:


1. enable

2. configure terminal

3. archive

4. log config

5. logging enable

6. logging size entries

7. hidekeys

8. notify syslog

9. end

 

Each tme a user is added, it will generate a syslog message similar to this:

 

*Feb 26 09:52:28.129: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:!config: USER TABLE MODIFIED

 

You could use that to run an EEM script. The show archive command  will show the difference between the startup and the running config and notify you by email

 

event manager applet USER_ADD
event syslog occurs 1 pattern "USER TABLE MODIFIED"
action 1.0 cli command "enable"
action 2.0 cli command "show archive config differences nvram:startup-config system:running-config | include username"
action 3.0 mail to "user@company.com" from "user@company.com" server "x.x.x.x" subject "User added:" body "$_cli_result"

Go to solution
Vic48
Level 1
Level 1
In response to Georg Pauwen

‎02-26-2019 03:55 AM

Neat. Thanks!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card