Log all console commands

Splash · April 4, 2018, 7:42am

I wonder if there is a way to motivate Mikrotik to assist with this, or to provide a technical reason why it can’t be done?

squeeze · April 4, 2018, 11:09am

Impressive six year thread for a feature that appears almost trivial for Mikrotik compared to direct competitors (*) and would instantly increase their popularity with businesses scaling up and larger enterprises …

How strange to ignore such an easy win when they have already done 90% of the leg work!

(*) It is just a change replay as commands wherever commands are not directly entered via the Terminal shell. So, this has nothing to do with keyloggers whatsoever. It is also much easier for Mikrotik than other direct competitors because all their user interfaces are clearly just a subset of their Command Line Interface.

otorehageni · July 6, 2018, 8:03am

+1 need this feature

Jotne · August 20, 2018, 3:26pm

I just bump this up so it will not be forgotten by the MikroTik team.

Getting all command logged and send to syslog would help a lot in to case where RouterOS is compromised.
Would be easy to roll back commands that has been entered.

There has been several cases lately where router get hacked trough WinBox.
User upgrades to new software and change password.
Some days later he get hacked again, since some code was added.

So.
Please MikroTik add this function.

upnort · August 20, 2018, 7:24pm

I am planning a remote logging server that will include our Mikrotik devices. I too am interested in more verbosity and granularity with logs.

Jotne · August 20, 2018, 7:37pm

Look at my project here for logging.

http://forum.mikrotik.com/t/tool-using-splunk-to-analyse-mikrotik-logs-3-3-graphing-everything/121810/1

Getting all commands executed into Splunk would be a great +

AlexS · August 18, 2019, 11:29pm

Hi

Has this been done / implemented

Splash · August 19, 2019, 8:04pm

Nope

achris4 · May 18, 2020, 11:10pm

Funny thing, I was just scratching my head trying to figure out how to get the detail output as displayed on this site: https://help.mikrotik.com/docs/display/ROS/Configuration+Management
and I came across this topic… now I’m really scratching my head… Help portal shows exactly what people have been asking for so long, but actual output is as seen in previous replies!

Jotne · May 19, 2020, 5:54am

It seems that MT is working on some in v7.

Adding a filter rule, then system history show the complete command:

V7_Beta] > /system/history/print detail 
Flags: U - undoable, R - redoable, F - floating-undo 
 U redo=/ip firewall filter add action=accept chain=forward disabled=no dst-address=0.0.0.0/0 log=no log-prefix="" 
    undo=/ip firewall filter remove *1 action="filter rule added" by="jotne" policy=write time=may/19/2020 05:44:59

But in syslog:

system,info MikroTik: filter rule added by jotne

So MT please.

Add possibility to send command to Syslog. If some hacks the router and delete the history, I have all commands externaly.
in /system/history add latest command at the bottom as in log file
Add this to v6 as well.

I will try to make a script that sends these info to syslog as a work around.

Jotne · May 19, 2020, 7:06am

And here is the script. Schedule it to run every 5 min and it will send all new command to syslog

{
if ([:tonum [:pick [/system resource get version] 0 1]] > 6 ) do={
	global cmd
	local f 0
	foreach i in=[system history find] do={
		if ($i = $cmd) do={:set $f 1}
		if ($f<>1) do={
			:log info message="StartCMD"
			:log info message=[system history get $i]
			:log info message="EndCMD"
		}
	}
	global cmd  [:pick [system history find] 0]
}
}

How it works.
It uses a global variable “cmd” to store ID of last run command.
Test if RotuerOS is larger than v6, since this only works on v7
If there are new commands with higher ID, then send the command to syslog and set the “cmd” to the new last command

Splunk search that joins it all togheter.

"script,info" 
| transaction startswith="StartCMD" endswith="EndCMD" maxspan=1s
| rex mode=sed "s/script,info MikroTik: (StartCMD|EndCMD)?//g"
| rex "action=(?<action>[^;]+);by=(?<user>[^;]+);policy=(?<policy>[^;]+);redo=(?<cmd>[^;]+);time=(?<time>[^;]+);undo=(?<undo>[^;]+);undoable=(?<undoable>[^;]+)"
| table user policy action cmd undo undoable

epedersen · March 2, 2021, 3:45am

Hi everyone!

+1 to this feature.

dbt · August 13, 2024, 3:02pm

Hi MikroTik team! So far I have not been able to find a way to enable full details of system history changes as discussed in this forum thread. I presume that this feature has not yet been added, but being able to output details about exactly what was changed to either the local device log or to a remote syslog server would be incredible valuable for auditing and compliance purposes.

Is there a separate part of the Forum or other portal where we can see and/or create feature requests?

I could not find such a category on the forum index https://forum.mikrotik.com/, but it would be a very valuable way for your customers to communicate their business needs.

Here are some examples from other vendors:
https://forums.docker.com/c/general-discussions/feature-requests/
https://community.home-assistant.io/c/feature-requests/
https://community.cambiumnetworks.com/c/your-ideas/

Thank you!