Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Rommon without a log message

I would like to be notified through a log message if the router is rebooted (deliberately or otherwise) and either drops into rommon mode or is forced into rommon mode with a ctrl+break sequence.  When I manually create this scenario I don't get any syslog message.  Syslog is configured and working properly in that I can generate and receive messages for all serverities 0-7.  When in rommon I know it doesn't load the IOS or the startup config which contains the logging parameters but surely there has to be some form of logging messages generated if the router falls into this mode. 

4 REPLIES
Hall of Fame Super Gold

Re: Rommon without a log message

I would like to be notified through a log message if the router is rebooted (deliberately or otherwise) and either drops into rommon mode or is forced into rommon mode with a ctrl+break sequence.

How do you expect that to happen when the device doesn't have a config???

Community Member

Re: Rommon without a log message

I understand that.  I should have clarified more.  Is there any way of altering the firmware code for rommon to provide some kind of notification? SDK? Thanks. 

Hall of Fame Super Gold

Re: Rommon without a log message

My post wasn't mean to offend.

The appliance won't be able to tell you that it's gone to ROMmon because it doesn't have the vital information:  local address and remote address.

However, the machine will tell you if someones invoked the reload command. 

Community Member

Re: Rommon without a log message

No offence taken.  Yeah I can log that but what I'm ultimately trying to alert on is if someone unauthorized gets physical access to the router and performs a password recovery.  The commands (configreg and reset) entered while in rommon do not get logged and as you know the result after the reboot is privilege exec mode to the router, providing access to the startup config and essentially a fully compromised router should an unauthorized individual chose to leverage it.  I can have a log message generated for the cold restarts but that in and of itself is not enough in my mind to indicate that a possible compromise has occured.  The cold restart log message coupled with a configreg log message would be a pretty good indication of something suspicious.  A copy start run (which can also generate a log message) would just further solidify my resolve of something suspicious occuring.  The key though in my mind is somehow alerting on the rommon commands invoked.  Oh well, if you think of something else, I'm all ears.  Thanks for your replies though.

181
Views
0
Helpful
4
Replies
CreatePlease to create content