Is it possible to log all console (serial/ssh/telnet) commands to syslog?
you can’t log specific commands, but some actions can be seen in “sysem history” menu
Is there any possibility to implement such a feature? It could be useful in environments where you have to log all user/administrator actions, for example financial institutions.
And for security reasons, you can see if any hackers been in your router.
If you log into a syslog server.
Let’s be honest. Possibility to log user actions done on device is a must for any product created for business usage. Mikrotik should also implement such feature. All actions go to standard LOG, then we can forward this information to remote and secure syslog machine.
Like I said, it is in the “/system history” menu. What we don’t have is some sort of keylogger that above poster asked for
Yes, I understand, but it is useless when you want to use it for auditing your devices (or employees).
For example, when I add address for an interface:
ip address add interface=ether3 address=192.168.10.1/24
I will get only:
U action=“address added” by=“admin” policy=write time=nov/10/2014 15:40:32
Another example, if I disable firewall rule, I will get only:
U action=“filter rule changed” by=“admin” policy=write time=nov/10/2014 15:46:50
What we are talking here is to have a possibility to just log a command to standard log (what we can forward to remote syslog server). I don’t know if it’s possible when we use WinBox, not CLI (but I believe it is). Just take a look at Cisco, how they do that. Every command goes to log (not every keystroke but command).
There are some security standards, the company have to be compliant with. One of them is PCI DSS: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard. One of the requirements in this standard is to log all actions taken by any individual with root or administrative privileges. The easiest way to achieve that is just logging every command.
OK, we can live without it, it’s obvious. But if RouterOS have this feature implemented, it will be possible to use your devices in larger range of organizations (especially in those compliant with mentioned security standards).
I’d like to revive this post…
There must be a way that Mikrotik adds support to log configuration changes. When you have 1000’s of devices all logging to a remove syslog server the generic historical events are pretty useless since it just says that a change was made. As with Cisco, Juniper and a host of other network devices, the ability to log the configuration changes to a syslog server is critical in today’s security conscious age. In its current implementation Mikrotik, I would say the information being logged is too generic and mostly irrelevant.
Ie… route changed…
So out of the 500 routes, 1 of them was modified…the only way to find out which one is to have the configuration collected and imported in to a revision control system to do the compares. On busy routers it would need to be done every 5 min to make it useful 
Another missing component is having the ability to send an snmp trap informing a remote system a config item was changed so that a remote configuration backup can be made at that point in time.
Thoughts?
Could I bump this up!
Folks,
I’d like to rise the question again. I see few similar questions (37069, 62183, etc) without an answer. I’m looking for a way to log/account issued commands and tried to enable “account” facility logging, but it didn’t help much.
- Is there any way in current RouterOS version to log at least CLI activity?
- Where I can find a list of all the log messages (with associated topics) that RouterOS can generate?
- Does RouterOS support RADIUS command accounting?
Thanks.
+1. This is something really needed especially in case of routeros as a firewall/gateway of financial services.
Guys, the question is already answered above. Why keep asking the same?
+1
They are asking for a syslog solution. That is why its asked again.
This is also some I like.
Take a look at what I using in the cisco switch/routers:
event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
action 2.0 set _exit_status "1"
This will send all commands to syslog, not only config commands.
“show running” is logged. Every thing you writhe and hit enter is logged.
Since web-gui also sends just commands to the Cisco, they are logged as well.
Feature request is different from “is there a way to do this now?”
No there isn’t. Feature request noted.
Thank you Normis.
Folks, my I have these questions answered please?
Thanks.
The main basis for this is to track changes. At the moment I parse the configuration export with the /system history option to tie up what changes were made to a configuration and by whom. This isnt ideal, but seems to provide some verbosity. Moving forward this is something that needs serious consideration as the currently history is pretty useless as its far too generic.
eg. Route added, device changed etc.
+1 pls
Just to show what the /system history log that Normis mention.
[jotne@master-gw] /system history> print detail
Flags: U - undoable, R - redoable, F - floating-undo
U action="log rule changed" by="jotne" policy=write time=apr/02/2018 18:41:33
U action="log rule changed" by="jotne" policy=write time=apr/02/2018 18:39:58
U action="log rule changed" by="jotne" policy=write time=apr/02/2018 18:39:55
U action="log rule added" by="jotne" policy=write time=apr/02/2018 18:39:41
U action="static dns entry changed" by="jotne" policy=write time=mar/30/2018 08:15:49
It does only show that a user has done something to the rules, but not what command has been run.
So for sure this is a big request to make RouterOS more secure.
PS
Question is:
Is it possible to log all console (serial/ssh/telnet) commands to syslog?
Answer: It does not log any commands that has been run, so please remove solved from topic.
- No
- Has not been posted.
Som log information found here: https://wiki.mikrotik.com/wiki/Manual:System/Log
It is also a big mess without any good system,see more here: http://forum.mikrotik.com/t/logging-prefix-is-a-mess-sup-105353-sup-144261-waiting-for-mt-to-support-rfc-5424/111067/1 - Not that I know about.