Sometimes we notice configuration changes in our network gear. Often we may ask ourselves who made the change and when it occurred. Maybe the reason for answering these questions is to understand why the change was necessary. Alternatively, there may be a need to provide this type of audit trail for some type compliance purposes. Regardless of the specific use case, many recommend a product called Cisco Secure ACS for logging Cisco router administration. This is a robust solution that uses TACACS+ to glean accounting information from network devices.
An alternative to using this high-end solution is to configure archive logging. Also known as Cisco as Configuration Notification and Logging, this feature provides the following information about each configuration command that is successfully entered into an IOS based network device: Session ID, User ID, Line, and Command. This information can be sent to a syslog and time-stamped for unlimited retention. This article takes a quick look at configuring this useful feature.
To demonstrate archive logging, only a single router is necessary. The first recommendation is providing users with individual usernames and passwords. While a typical enterprise deployment will use some type of authentication server, this article will keep it simple by using local authentication. For this purpose two users will be created, jack and jill. These users will also be given the top privilege level so they can make any changes required.
Local User Authentication
R1#configure terminal R1(config)#username jack privilege 15 secret cisco R1(config)#username jill privilege 15 secret CISCO
In order to use the newly created users, the local authentication method will be applied to the VTY lines. This will allow user tracking with telnet and ssh. In a production environment, it might also be desirable to apply a consistent user authentication method to the console and aux lines as well.
VTY Configuration for Local User Database
R1(config)#line vty 0 15 R1(config-line)#login local
When users log into a telnet or ssh session they will be prompted for username and password. With the users identified, the archive logging feature is more useful. The following commands enable the basic archive logging feature.
Basic Archive Log Configuration
R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#logging enable
In order to test the configuration, a couple of commands can be entered.
//commands as jack R1#telnet 172.16.0.1 Trying 172.16.0.1 ... Open User Access Verification Username: jack Password: R1#confure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int loopback 10 R1(config-if)#ip add R1(config-if)#ip address 10.10.10.10 255.255.255.255 R1(config-if)#exit R1(config)#exit R1#exit //commands as jill R1#telnet 172.16.0.1 Trying 172.16.0.1 ... Open User Access Verification Username: jill Password: R1#confure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int loopback 20 R1(config-if)#ip address 20.20.20.20 255.255.255.255 R1(config-if)#exit R1(config)#exit R1#
To determine which user created the loopback 10 and loopback 20 interfaces, the configuration log can be examined.
R1#show archive log config all idx sess [email protected] Logged command 1 1 [email protected] | logging enable 2 1 [email protected] | exit 3 1 [email protected] | exit 4 2 [email protected] |interface Loopback10 5 2 [email protected] | ip address 10.10.10.10 255.255.255.255 6 2 [email protected] | exit 7 3 [email protected] |interface Loopback20 8 3 [email protected] | interface Loopback20 9 3 [email protected] | ip address 20.20.20.20 255.255.255.255 10 3 [email protected] | exit
Now the router has a working archive configuration. Variants of the show command can be found by using the context sensitive help.
R1#show archive log config ? The first record number to display all List all the records in the config log statistics Show memory and usage statistics for the config logger user List the logged commands entered by a single user
The next challenge is how to log the commands to an external source. This configuration is actually quite simple. The commands below assume a working network and access to a syslog server at 192.168.2.2.
Syslog Configuration
R1(config)#logging 192.168.2.2 R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#notify syslog
Now some commands can be entered to see how the resulting syslog messages appear.
R1#telnet 172.16.0.1 Trying 172.16.0.1 ... Open User Access Verification Username: jack Password: R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#username hill privilege 15 secret supersecretpw
Syslog Entries
Sat Apr 27 16:30:32 2013: 42: *Apr 14 04:43:44.128: %PARSER-5-CFGLOG_LOGGEDCMD: User:jack logged command:username hill privilege 15 secret supersecretpw Sat Apr 27 16:30:34 2013: 43: *Apr 14 04:43:46.168: %SYS-5-CONFIG_I: Configured from console by jack on vty0 (172.16.0.1)
The ‘hidekeys’ Feature
For those who scrolled far enough to see the entire syslog message, the verbosity of the accepted command is apparent. The password, “supersecretpw” is actually visible.
Since this may not be the desired result, there is an option to hide passwords and keys as they are written into the archive log process. This is enabled by using the “hidekeys” option.
R1(config)#archive R1(config-archive-log-cfg)#log config R1(config-archive-log-cfg)#hidekeys
Now a password change for user “hill” should not disclose the password in the log entries.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#usern R1(config)#username hill secret newpass
Password After “hidekeys” Enabled
As can be seen in the above output, the sensitive information is now obfuscated.
As demonstrated in this article, there are cost effective ways to capture administration activity on Cisco devices. While robust commercial solutions exist, not all organizations can afford or justify the associated expenses. In such cases, archive logging can serve as solution for IOS based devices. When this type solution is combined with an external syslog server and the appropriate level of segregation of responsibility, this can become a fairly robust auditing tool as well. Since syslog files are easily greppable, both operational and audit use cases can benefit from this type of solution.