Starting with Cisco IOS 12.3(4)T, an administrator can configure a router with a series of commands such that any subsequent configuration commands entered will be sent to syslog. Having a recorded audit trail of changes made can provide a valuable tool to troubleshoot possible unexpected outcomes
This will then capture the command typed is such syslog event:
Nov 5 09:03:25 router 69217: Nov 5 2010 08:03:24.978 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:ip access-list extended Virtual-Access2.44#5625601
Nov 5 09:03:25 router 69218: Nov 5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit tcp any any established
Nov 5 09:03:25 router 69219: Nov 5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit ip any <obfuscated netblock>
Nov 5 09:03:25 router 69220: Nov 5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:deny tcp any any eq 25
Nov 5 09:03:25 router 69221: Nov 5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:permit ip any any
Nov 5 09:16:58 router 69222: Nov 5 2010 08:16:57.831 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no ip access-list extended Virtual-Access2.44#5625601
If you are using the CISCO IOS Collector running on SSIM Appliance with SYSLOG Director, please make sure you add the following signature : %PARSER-5-CFGLOG
Applies To
Cisco IOS 12.3(4)T or above
Before changing any configuration on your CISCO Device please maybe sure you consult the documentation and test the changes. These changes could generate a very large number of events depending of the setup.