A core component in administering network systems is visibility into configuration changes, history of changes over time, and the ability to alert on changes made to a network. I believe this is a core part of logging and should be enabled for all network devices on an enterprise network. In this post I will show you how to log all commands entered in configuration mode to a syslog server.

Prerequisite

It is assumed that you already have a working syslog server on your network that is reachable for all network devices on TCP and UDP port 514 that you want to send logs from. If you do not have a syslog server or need a quick guide on setting one up, check out my article on setting up an rsyslogd server on Linux.

It is also assumed that you have an account with access to add configuration to the Cisco equipment you want to log from.

Cisco IOS

You will first need to make sure that your device is setup to send to send syslogs to your server, to do that modify and paste the 2 commands below into the global configuration section of your Cisco device.

logging host <Syslog Server IP>
logging source-interface Vlan1
logging trap debugging

The logging host command is what configures your syslog server, make sure to modify <Syslog Server IP> to the actual IP address of your syslog server.

The second command is optional but I recommend it so it is clear what IP address your device will be sending logs from. This becomes important in the case of routers that have multiple IP addresses on them, if this is left out it is not always clear which IP address will be used. And more obviously I use Vlan1 as my source interface in this example, but use the interface that has the IP address that you desire to have attached when sending syslogs to your server.

logging trap debugging - This sets the log level for traps which are sent to the syslog server, this configures your syslog to send all local logs to your syslog server.

At this point all logs will be sent to your syslog but to get the configuration commands logged and shipped in syslog you will need to add some additional configuration to do that paste in the code below into the global configuration section of your Cisco device.

archive
 log config
  logging enable
  logging size 1000
  notify syslog contenttype plaintext
  hidekeys

logging enable - This enables the logging of all configuration mode commands to the local buffer on the device. This is what turns the logging on.

logging size 1000 - This is what specifies the size of the local buffer, in this case 1000 entries. This is not required but I recommend it so if you want to look at the commands locally, in the event something happens to your syslog server you still have a chance of seeing them locally.

notify syslog contenttype plaintext - this is what will send the logs to the syslog you have configured

hidekeys - This is arguably the most important command as it will omit sensitive things typed such as plaintext passwords entered on the terminal.

Cisco NXOS

The Cisco Nexus platform is slightly different, because of course it has to be. But regardless you can achieve the same end result of sending configuration commands over syslog. I will say in my experience the logs come as a different facility so if you parse the logs searching for keywords they will be different so your tools will need to account for that.

You will first need to setup or validate that your device is sending syslogs to your server, if it is not the command to add a syslog server is below.

logging server <Syslog Server IP> 6 use-vrf default facility syslog

The first 3 words are self explanatory but to expand on the rest of the command --

6 is the logging level to use when sending logs to syslog

use-vrf default is the VRF to use when accessing the network, in this case I am using default but another example would be using the management vrf.

facility syslog is the facility to use when sending the logs so it will inherit settings from there

At this point the Nexus will be sending syslogs to your server but again you will need to add additional configuration in order to capture the configuration commands. 

logging level aaa 6

Because the nexus captures the commands in the aaa logs, setting the logging level of aaa to 6 will cause those to be brought into the syslogs thus sending commands to your syslog server.

One thing I did notice between NXOS and IOS is that copy run start on nexus will be pulled into these logs even tho that is not entered in config mode of the terminal, in my opinion that is fairly neutral that it includes/excludes that but it was something interesting that I noticed.

So at this point you can validate that you are getting logs you need by going into config mode, entering and exiting an interface and you should see the logs pull into your syslog server. If you do you can save the configuration on your devices.

Conclusion

I believe this is among the first things that should be done on an enterprise network, especially if multiple people have access into the equipment there needs to be a level of tracking so that if changes take place not only can the exact time be recalled both locally and from syslog but if a malicious actor enters your network you can easily see exactly what they did and revert any configuration. I have used this to build out a larger auditing platforms that ingests the command logs and sends real time alerts when there is configuration made which adds so much value and accountability when you are trying to track down what happened, when it happened, and by who.

And plus what network admin doesn't love to be able to confidently say "no changes were made between this time and this time" when someone comes up and asks the question "Hey I'm troubleshooting this issue and was wondering if there were any network changes between this time frame" :)