How to get the commands executed on CISCO IOS devices to be forwarded to CISCO IOS Collector

book

Article ID: 156084

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

Starting with Cisco IOS 12.3(4)T, an administrator can configure a router with a series of commands such that any subsequent configuration commands entered will be sent to syslog. Having a recorded audit trail of changes made can provide a valuable tool to troubleshoot possible unexpected outcomes

Resolution

This will then capture the command typed is such syslog event:

Nov  5 09:03:25 router 69217: Nov  5 2010 08:03:24.978 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:ip access-list extended Virtual-Access2.44#5625601

Nov  5 09:03:25 router 69218: Nov  5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit tcp any any established

Nov  5 09:03:25 router 69219: Nov  5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit ip any <obfuscated netblock>

Nov  5 09:03:25 router 69220: Nov  5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:deny tcp any any eq 25

Nov  5 09:03:25 router 69221: Nov  5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit ip any any

Nov  5 09:16:58 router 69222: Nov  5 2010 08:16:57.831 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no ip access-list extended Virtual-Access2.44#5625601

 

 

If you are using the CISCO IOS Collector running on SSIM Appliance with SYSLOG Director, please make sure you add the following signature : %PARSER-5-CFGLOG


Applies To

 Cisco IOS 12.3(4)T or above

A sample router configuration dialog is shown below (The Cisco IOS Collector is running at 10.10.10.10):
 
Router# config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# logging trap notifications
Router(config)# logging 10.10.10.10
Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-cfg)# logging enable
Router(config-archive-log-cfg)# logging size 1000
Router(config-archive-log-cfg)# hidekeys
Router(config-archive-log-cfg)# notify syslog

Before changing any configuration on your CISCO Device please maybe sure you consult the documentation and test the changes. These changes could generate a very large number of events depending of the setup.