Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
17423
Views
30
Helpful
9
Replies

Frequent PARSER-5-CFGLOG_LOGGEDCMD log messages

j.hozeska
Level 1
Level 1

ā€Ž11-05-2010 07:34 AM - edited ā€Ž03-04-2019 10:23 AM

Hi everyone,

I have a router which has recently begin generating many PARSER-5-CFGLOG_LOGGEDCMD log messages. It used to happen once a week or so, but now it is repeating throughout the day, every day.

The messages come through looking like this:

Nov  5 09:03:25 Revenant 69217: Nov  5 2010 08:03:24.978 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:ip access-list extended Virtual-Access2.44#5625601

Nov  5 09:03:25 Revenant 69218: Nov  5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit tcp any any established

Nov  5 09:03:25 Revenant 69219: Nov  5 2010 08:03:24.982 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit ip any <obfuscated netblock>

Nov  5 09:03:25 Revenant 69220: Nov  5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:deny tcp any any eq 25

Nov  5 09:03:25 Revenant 69221: Nov  5 2010 08:03:24.986 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:permit ip any any

Nov  5 09:16:58 Revenant 69222: Nov  5 2010 08:16:57.831 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no ip access-list extended Virtual-Access2.44#5625601


I have read in other places that this is normal for when a router reboots. But my router is not rebooting. So I am wondering if something is going wrong.


Some info about the router is:

Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory.
Processor board ID 23664897
R7000 CPU at 350MHz, Implementation 39, Rev 3.2, 256KB L2 Cache
6 slot VXR midplane, Version 2.9

Cisco IOS Software, 7200 Software (C7200-JK9S-M), Version 12.4(8)

ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2)
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.1(8a)E, EARLY DEPLOYMENT RELE                                             ASE SOFTWARE (fc1)

Revenant uptime is 1 year, 28 weeks, 1 day, 14 hours, 34 minutes
System returned to ROM by power-on
System restarted at 18:46:02 EST Tue Apr 21 2009
System image file is "disk0:c7200-jk9s-mz.124-8.bin"

If anyone has any input or experience with this, it would be much appreciated.
1 person had this problem
Labels:
0 Helpful
9 Replies 9

gephelps
Cisco Employee
Cisco Employee

ā€Ž11-05-2010 08:39 AM

Config messages configuring crypto maps with a name of NiStTeSt1 are normal when booting.

The messages logged here are not the same.  Based on the name of the ACL I suspect a user is logging into the device and this per user ACL is being applied to the user.

0 Helpful

Chris Ingram
Level 1
Level 1
In response to gephelps

ā€Ž08-07-2012 05:49 AM

I'm researching the same type of question.  I see a lot of routers log changes made by a username called "console".  These logged changes reflect what you say about the crypto map "NiStTeSt1".  You say this is normal.  Then you go on to say that in this particular instance it a user logged in and made these changes. 

So, are you saying someone logged into this router via a serail, telnet, or ssh session and made these changes?  That doesn't make any sense.  When a user logs into a any cisco network device that supports these plain text logging commands, their changes are logged as the username they used to log into the device (not some generic username like "console").

Now, if "console" is a cisco system user account of some sort then I might go along with that.  But that is an explanation that I have yet to hear.

Here is an example of what I see when I reload a router (not connected to any network), connect via serial cable using my own local account "ELONAZAZIAH", and configure a traffic capture profile.  I am the only user logged into this router and you can plainly see the difference. 

I'm sure there is a logical explanation for this.  I would just like to know what it is.

000014: *Jul 31 2012 18:46:42.443 UTC: %SYS-5-CONFIG_I: Configured from memory by console

000015: *Jul 31 2012 18:46:42.643 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20

000016: *Jul 31 2012 18:46:42.647 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:crypto map NiStTeSt1 10 ipsec-manual

000017: *Jul 31 2012 18:46:42.647 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:match address 199

000018: *Jul 31 2012 18:46:42.647 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:set peer 20.20.20.20

000019: *Jul 31 2012 18:46:42.647 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:exit

000020: *Jul 31 2012 18:46:42.651 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to down

000021: *Jul 31 2012 18:46:42.651 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3, changed state to down

000022: *Jul 31 2012 18:46:42.659 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no access-list 199

000023: *Jul 31 2012 18:46:42.663 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no crypto map NiStTeSt1

000024: *Jul 31 2012 18:46:45.283 UTC: %LINK-5-CHANGED: Interface FastEthernet2, changed state to administratively down

000025: *Jul 31 2012 18:46:45.283 UTC: %LINK-5-CHANGED: Interface FastEthernet3, changed state to administratively down

000026: *Jul 31 2012 18:46:45.283 UTC: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down

000027: *Jul 31 2012 18:46:45.283 UTC: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up

000028: *Jul 31 2012 18:46:45.283 UTC: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up

000029: *Jul 31 2012 18:46:45.287 UTC: %SYS-5-RESTART: System restarted --

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Tue 16-Nov-10 04:53 by prod_rel_team

000030: *Jul 31 2012 18:46:45.307 UTC: %SSH-5-ENABLED: SSH 2.0 has been enabled

000035: *Jul 31 2012 18:46:46.287 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down

000036: *Jul 31 2012 18:46:46.287 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down

000037: *Jul 31 2012 18:46:46.287 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down

000038: *Jul 31 2012 18:46:46.287 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down

000040: *Jul 31 2012 18:47:39.695 UTC: %LINK-3-UPDOWN: Interface ATM0, changed state to up

000041: *Jul 31 2012 18:47:40.695 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to up

000043: *Jul 31 2012 18:47:50.123 UTC: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up

000044: *Jul 31 2012 18:47:51.183 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up

000045: *Jul 31 2012 18:47:52.039 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4, changed state to up

000046: *Jul 31 2012 18:47:52.039 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

000047: *Jul 31 2012 18:49:15.323 UTC: %AAA-3-DROPACCTFAIL: Accounting record dropped, send to server failed: system

000048: *Jul 31 2012 18:49:15.323 UTC: %SNMP-5-COLDSTART: SNMP agent on host ECT-AR-0-887-136 is undergoing a cold start

000049: *Jul 31 2012 20:00:05.667 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:!exec: enable

000050: *Aug  1 2012 18:15:31.010 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:!exec: enable

000051: *Aug  1 2012 18:16:23.218 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:logging console

000052: *Aug  1 2012 18:16:46.390 UTC: %SYS-5-CONFIG_I: Configured from console by ELONAZAZIAH on console

000053: *Aug  1 2012 20:42:04.425 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:!exec: enable

000054: *Aug  1 2012 20:43:12.021 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:ip traffic-export profile PCAP mode capture

000055: *Aug  1 2012 20:43:17.337 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:length 512

000056: *Aug  1 2012 20:43:24.989 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:bidirectional

000057: *Aug  1 2012 20:43:27.293 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:exit

000058: *Aug  1 2012 20:43:36.421 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:interface Vlan2

000059: *Aug  1 2012 20:45:32.049 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:ip traffic-export apply PCAP size 10000000

000060: *Aug  1 2012 20:45:36.605 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ELONAZAZIAH  logged command:exit

0 Helpful

Chris Ingram
Level 1
Level 1
In response to gephelps

ā€Ž08-07-2012 05:52 AM

Oh one more thing....

The 20.20.20.20 address this router (and every router I've seen do this) is configuring as a peer address belongs to the Computre Sciences Corporation.

http://www.iptools.com/dnstools.php?tool=ipwhois&user_data=20.20.20.20

0 Helpful

Bert Gevers
Cisco Employee
Cisco Employee

ā€Ž11-05-2010 09:32 AM

Hello Jonathan,

the message which are shown are indeed caused by a user making a configuration change through console.

If you do not want to see these messages, you can disable this feature.  The commands to do this are:

conf t

archive

  log config

    no notify syslog

This will stop these messages when configuration changes are being made.  They will still be available through 'show archive log config all'.

HTH,

Bert

Chris Ingram
Level 1
Level 1
In response to Bert Gevers

ā€Ž08-07-2012 05:54 AM

The question is not how to hide the messages.  The question is what causes the messages.

I want the plain text logging turned on because I want to know whow is making changes on my routers.

Again, I'm open to the possibility that the username "console" is a legitimate user that is programmed into the image.  But I'm starting to think that only a programmer can answer that.

If it is a legitimate user then I want to know it?

If it is not a legitimate user then where did it come from?

I'm leaning towards it being legitimate.  Especially since it happens the same way for me on multiple routers that are not connected to any network.  I am consoled in with my own local account when it happens and I am the only user showing logged in.

But why is it always trying to form a VPN tunnel with a peer address that belongs to the Computer Sciences Corporation??

I also notice that the "console" user removes the crypto map and acl in the very same second that it creates it.  This further assures me that this is something that was programmed by whomever created the image (I hope).  It was programmed by something or someone for sure.

I was hoping someone might have an explanation.

Thanks,

Chris

0 Helpful

charles.bockstal
Level 1
Level 1
In response to Chris Ingram

ā€Ž10-12-2012 05:15 AM

Hello,

I have this king of message. The origine is a injection command via Radius, for exemple :

Oct  3 2012 23:21:48.258 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:default ip ospf message-digest-key 1

Oct  3 2012 23:21:48.258 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:default ip ospf 59 area 1

Oct  3 2012 23:21:48.258 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:default ip address 1.59.100.162 255.255.255.240

Oct  3 2012 23:21:48.258 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:default routing dynamic

Oct  3 2012 23:21:48.262 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:default ip vrf forwarding

Oct  3 2012 23:21:48.266 GMT+2: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:default logging event link-status

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to charles.bockstal

ā€Ž10-12-2012 06:58 AM

I believe this has to do with the archive command on the router:

R1#sh archive log config all

idx   sess           user@line      Logged command

    1     1        console@console  |  logging enable

    2     1        console@console  |  logging size 1000

    3     1        console@console  |  exit

    4     1        console@console  |   exit

    5     2        console@console  |interface FastEthernet0/0

    6     2        console@console  | ip address 192.168.1.1 255.255.255.0

    7     2        console@console  | no shutdown

    8     2        console@console  | exit

    9     3        console@console  |archive

   10     3        console@console  | log config

   11     3        console@console  |  record rc

   12     3        console@console  |  exit

   13     3        console@console  |   exit

   14     4        console@console  |archive

It's due to the "notify syslog" command listed under the archive/logging configuration in the router. If you remove "notify syslog" you'll no longer get the message.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

raghavendra.muppuri
Level 1
Level 1
In response to John Blakley

ā€Ž11-16-2012 02:01 PM

Hi,

Still waiting for a satisfactory explanation, why those commands are been executed automatically with the user name CONSOLE.

Is it a bug in the IOS..?? Expecting an answer from the CISCO Experts at the earliest.

Thanks,

Rag.

0 Helpful

elemzy
Level 1
Level 1
In response to raghavendra.muppuri

ā€Ž01-24-2019 10:00 AM

Did you ever got an answer to this question? 

Why will console issue obvious commands on the router? In my case i have

227 0 console@console |interface Serial1/0/0:23
228 0 console@console | shutdown
229 0 console@console |interface Serial1/0/0:23
230 0 console@console | no isdn bind-l3 ccm-manager
231 0 console@console |interface Serial1/0/0:23
232 0 console@console | no shutdown
233 0 console@console |interface Serial1/0/0:23
234 0 console@console | shutdown
235 0 console@console |interface Serial1/0/0:23
236 0 console@console | isdn bind-l3 ccm-manager
237 0 console@console |interface Serial1/0/0:23
238 0 console@console | no shutdown
241 0 console@console |interface Serial1/0/0:23
242 0 console@console | shutdown
243 0 console@console |interface Serial1/0/0:23
244 0 console@console | no isdn bind-l3 ccm-manager
245 0 console@console |interface Serial1/0/0:23
246 0 console@console | no shutdown
247 0 console@console |interface Serial1/0/0:23
idx sess user@line Logged command

248 0 console@console | shutdown
249 0 console@console |interface Serial1/0/0:23
250 0 console@console | isdn bind-l3 ccm-manager
251 0 console@console |interface Serial1/0/0:23
252 0 console@console | no shutdown

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card