Logging Cisco Router Administration

Sometimes we notice configuration changes in our network gear. Often we may ask ourselves who made the change and when it occurred. Maybe the reason for answering these questions is to understand why the change was necessary. Alternatively, there may be a need to provide this type of audit trail for some type compliance purposes. Regardless of the specific use case, many recommend a product called Cisco Secure ACS for logging Cisco router administration. This is a robust solution that uses TACACS+ to glean accounting information from network devices.

An alternative to using this high-end solution is to configure archive logging. Also known as Cisco as Configuration Notification and Logging, this feature provides the following information about each configuration command that is successfully entered into an IOS based network device: Session ID, User ID, Line, and Command. This information can be sent to a syslog and time-stamped for unlimited retention. This article takes a quick look at configuring this useful feature.

To demonstrate archive logging, only a single router is necessary. The first recommendation is providing users with individual usernames and passwords. While a typical enterprise deployment will use some type of authentication server, this article will keep it simple by using local authentication. For this purpose two users will be created, jack and jill. These users will also be given the top privilege level so they can make any changes required.

Local User Authentication

R1#configure terminal
R1(config)#username jack privilege 15 secret cisco
R1(config)#username jill privilege 15 secret CISCO

In order to use the newly created users, the local authentication method will be applied to the VTY lines. This will allow user tracking with telnet and ssh. In a production environment, it might also be desirable to apply a consistent user authentication method to the console and aux lines as well.

VTY Configuration for Local User Database

R1(config)#line vty 0 15
R1(config-line)#login local

When users log into a telnet or ssh session they will be prompted for username and password. With the users identified, the archive logging feature is more useful. The following commands enable the basic archive logging feature.

Basic Archive Log Configuration

R1(config)#archive
R1(config-archive)#log config
R1(config-archive-log-cfg)#logging enable

In order to test the configuration, a couple of commands can be entered.

//commands as jack
R1#telnet 172.16.0.1
Trying 172.16.0.1 ... Open

User Access Verification

Username: jack
Password:
R1#confure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int loopback 10
R1(config-if)#ip add
R1(config-if)#ip address 10.10.10.10 255.255.255.255
R1(config-if)#exit
R1(config)#exit
R1#exit

//commands as jill
R1#telnet 172.16.0.1
Trying 172.16.0.1 ... Open

User Access Verification

Username: jill
Password:
R1#confure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int loopback 20
R1(config-if)#ip address 20.20.20.20 255.255.255.255
R1(config-if)#exit
R1(config)#exit
R1#

To determine which user created the loopback 10 and loopback 20 interfaces, the configuration log can be examined.

R1#show archive log config all
 idx   sess           [email protected]      Logged command
    1     1        [email protected]  |  logging enable
    2     1        [email protected]  |  exit
    3     1        [email protected]  |   exit
    4     2           [email protected]     |interface Loopback10
    5     2           [email protected]     | ip address 10.10.10.10 255.255.255.255
    6     2           [email protected]     | exit
    7     3           [email protected]     |interface Loopback20
    8     3           [email protected]     | interface Loopback20
    9     3           [email protected]     | ip address 20.20.20.20 255.255.255.255
   10     3           [email protected]     | exit

Now the router has a working archive configuration. Variants of the show command can be found by using the context sensitive help.

R1#show archive log config ?
    The first record number to display
  all             List all the records in the config log
  statistics      Show memory and usage statistics for the config logger
  user            List the logged commands entered by a single user

The next challenge is how to log the commands to an external source. This configuration is actually quite simple. The commands below assume a working network and access to a syslog server at 192.168.2.2.

Syslog Configuration

R1(config)#logging 192.168.2.2
R1(config)#archive
R1(config-archive)#log config
R1(config-archive-log-cfg)#notify syslog

Now some commands can be entered to see how the resulting syslog messages appear.

R1#telnet 172.16.0.1
Trying 172.16.0.1 ... Open

User Access Verification

Username: jack
Password:
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#username hill privilege 15 secret supersecretpw

Syslog Entries

Sat Apr 27 16:30:32 2013: 42: *Apr 14 04:43:44.128: %PARSER-5-CFGLOG_LOGGEDCMD: User:jack  logged command:username hill privilege 15 secret supersecretpw
Sat Apr 27 16:30:34 2013: 43: *Apr 14 04:43:46.168: %SYS-5-CONFIG_I: Configured from console by jack on vty0 (172.16.0.1)

 

The ‘hidekeys’ Feature

For those who scrolled far enough to see the entire syslog message, the verbosity of the accepted command is apparent. The password, “supersecretpw” is actually visible.

Logging Cisco Router Administration -- Key Visible

Since this may not be the desired result, there is an option to hide passwords and keys as they are written into the archive log process. This is enabled by using the “hidekeys” option.

R1(config)#archive
R1(config-archive-log-cfg)#log config
R1(config-archive-log-cfg)#hidekeys

Now a password change for user “hill” should not disclose the password in the log entries.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#usern
R1(config)#username hill secret newpass

 

Password After “hidekeys” Enabled

 

Logging Cisco Router Administration -- Key Obfuscated

As can be seen in the above output, the sensitive information is now obfuscated.

As demonstrated in this article, there are cost effective ways to capture administration activity on Cisco devices. While robust commercial solutions exist, not all organizations can afford or justify the associated expenses. In such cases, archive logging can serve as solution for IOS based devices. When this type solution is combined with an external syslog server and the appropriate level of segregation of responsibility, this can become a fairly robust auditing tool as well. Since syslog files are easily greppable, both operational and audit use cases can benefit from this type of solution.

Additional Information on Logging Cisco Router Administration

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.