Starting with Cisco IOS 12.3(4)T, an administrator can configure a router with a series of commands such that any subsequent configuration commands entered will be sent to syslog. Having a recorded audit trail of changes made can provide a valuable tool to troubleshoot possible unexpected outcomes

This will then capture the command typed is such syslog event:

Nov  5 09:03:25 router 69217: Nov  5 2010 08:03:24.978 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:ip access-list extended Virtual-Access2.44#5625601

Nov  5 09:03:25 router 69218: Nov  5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit tcp any any established

Nov  5 09:03:25 router 69219: Nov  5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit ip any <obfuscated netblock>

Nov  5 09:03:25 router 69220: Nov  5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:deny tcp any any eq 25

Nov  5 09:03:25 router 69221: Nov  5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit ip any any

Nov  5 09:16:58 router 69222: Nov  5 2010 08:16:57.831 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no ip access-list extended Virtual-Access2.44#5625601

If you are using the CISCO IOS Collector running on SSIM Appliance with SYSLOG Director, please make sure you add the following signature : %PARSER-5-CFGLOG

Applies To

 Cisco IOS 12.3(4)T or above

Before changing any configuration on your CISCO Device please maybe sure you consult the documentation and test the changes. These changes could generate a very large number of events depending of the setup.