Thanks, is show log alone can trace what are the activities a user did on a device? what happened is that my colleagues saying that I did a save command on a router which honestly didnt do. I look at the router's log using sh log command but didnt find anything. I just want to know how he were able to say that i do save command that equals to a change.

Oliver, bellow is an example of what is recorded in router, any command entered that have changed or altered the router's configuiration is saved in archive in router if you choose to do so when configuring this feature , configuration entered in router is also relay to my syslog server, since I am the only network person I do not need ACS nor local AAA , so this is why in the output bellow you see user "unknown" .

in config mode you simply need the bellow statements.

archive

log config

logging enable

logging size 50

notify syslog

hidekeys

you may also do a question mark to see other sub-commands features

Router(config)#Archive

Router(config-archive)# ?

you may want to also add in config mode:

login on-failure log

login on-success log

.May 4 20:32:06 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable

.May 4 20:37:02 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable

.May 4 20:38:09 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:ip route 10.1.253.21 255.255.255.255

6x.xx.xx.117 name DR_TEMP_LB0_IP

.May 4 20:38:12 UTC: %SYS-5-CONFIG_I: Configured from console by vty0 (10.168.100.xx)

.May 4 20:39:03 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable

.May 4 20:40:12 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no ip route 10.1.253.21 255.255.255.

255 6x.xxx.xxx.xxx name DR_TEMP_LB0_IP

.May 4 20:40:16 UTC: %SYS-5-CONFIG_I: Configured from console by vty0 (10.168.100.xx)

May 4 20:51:17 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable

May 4 20:51:53 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:ip route 10.1.253.21 255.255.255.255

10.7.1.x name DR_TEMP_LB0_IP

May 4 20:53:11 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:no ip route 10.1.253.21 255.255.255.2

55 10.7.1.x name DR_TEMP_LB0_IP

May 4 20:55:02 UTC: %SYS-5-CONFIG_I: Configured from console by vty0 (10.168.100.xx)

HTH

-Jorge

PLS rate any helpful post if it helped

Jorge,

Excellent post !

Is there any impact at all on the CPU. I think not, since its a simple login, but since IO have never tested this I have to ask.

I use TACACS for loggin users activities, but when 3rd party are on a box, it woudl be nice to see straight away what is being done.

Thanks

Sam

Hi Sam, not realy impact on CPU at all, this minimal messaging syslog information, this is only when authorize user or users are logged in to router and at least you can know what was chnaged, but no much proccessing involved on CPU.

I used tacacs long time ago in another job , I loved it, but this feature is great as well , Im sure you can have it in addition with TACACS, it is great, I use Kiwi Cattools to back up routers config and I always noticed even when CatTools access the router to backup the config.

Bst Rgds

Jorge

Hi

Just wanted to know what is the meaning of "unknown user" as you told its not TACACS or local user.. Then what type of accessing method you are using. We have ISE configured in our network and getting the message "User:unknown user logged command:!exec: enable" in syslog. What does it mean?