Community discussions

 
petern
just joined
Topic Author
Posts: 23
Joined: Wed Dec 13, 2017 5:58 pm

Feature Request: Logging of all administrator user actions

Tue Feb 20, 2018 6:11 pm

Hi,

Please could we have full command logging (with sensitive information preferably hidden) of actions performed by administrators.
The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed.
[This is not a key logger! ;-)]

PCI DSS Requirements
10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.2.2 All actions taken by any individual with root or administrative privileges
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Tue Jan 14, 2014 9:09 pm

Re: Feature Request: Logging of all administrator user actions

Fri Feb 23, 2018 9:06 am

+1
current logging isnot useful. especially for large installations needed.
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 958
Joined: Fri May 26, 2006 1:25 am

Re: Feature Request: Logging of all administrator user actions

Sun Apr 01, 2018 7:07 am

Plus 1 - I agree, even detail blogginglogging for even one admin user would be very useful and helpful (Ie more than the current logging of “firewall rule changed “would be helpful, Best would be exact print out of rule change from X to Y ) .
:beep :beep :beep
 
artie11
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Feb 20, 2011 12:08 pm

Re: Feature Request: Logging of all administrator user actions

Sat Apr 14, 2018 3:58 am

+1, Would really help as we ship logs for central processing.
 
dcosgrove
just joined
Posts: 9
Joined: Fri Nov 16, 2012 7:05 am

Re: Feature Request: Logging of all administrator user actions

Sat Apr 14, 2018 6:12 am

+1 for tacacs
 
User avatar
doneware
Trainer
Trainer
Posts: 539
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature Request: Logging of all administrator user actions

Sun Apr 15, 2018 3:20 pm

The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed.
[This is not a key logger! ;-)]
while i do support this, especially if it also affects entries in /system history, it has some challenges.
can i suppose all "sensitive" stuff should be also logged, but not revealed to everybody? this could still lead to leaks.
so if the "verbose" (command accounting type) command/change logging will be implemented, i would strongly advocate to not to log sensitive information (password, key, secret).

also absolute device/rule references may not be as easy as they seem for the first glimpse. universal internal IDs (as in API) could be valid between reboots, but would hardly reveal any useful reference for the operator.
#TR0359
 
User avatar
doneware
Trainer
Trainer
Posts: 539
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature Request: Logging of all administrator user actions

Sun Apr 15, 2018 3:21 pm

and i'll say not just "administrator" but all user actions.
#TR0359
 
pe1chl
Forum Guru
Forum Guru
Posts: 5930
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Sun Apr 15, 2018 3:33 pm

Possibly easiest is to send logs to some external syslog service that has a trigger script that after some change has
been made (or maybe after a couple of changes and some dead time) retrieves the /export from the device and stores
it in a versioning system. That is useful to have anyway as a backup, and can be used to see the changes that were made.
 
User avatar
doneware
Trainer
Trainer
Posts: 539
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature Request: Logging of all administrator user actions

Sun Apr 15, 2018 6:28 pm

retrieves the /export from the device and stores it in a versioning system. That is useful to have anyway as a backup, and can be used to see the changes that were made.
we do this already, in 5 minute intervals if change is detected, and in 24 hour intervals regardless of there was any change or not, just to make sure, we have at least daily backups.

this however opens up another question: why /export doesn't contain all configuration elements (certificates, user passwords, ssh-keys)
i've raised this story multiple times with support, but so far there was no real progress in these field.
#TR0359
 
ThatMorneGuy
just joined
Posts: 3
Joined: Tue May 08, 2018 1:40 pm

Re: Feature Request: Logging of all administrator user actions

Fri Mar 15, 2019 1:48 pm

+1 for me as well
 
WeWiNet
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Sep 27, 2018 4:11 pm

Re: Feature Request: Logging of all administrator user actions

Fri Mar 15, 2019 5:24 pm

+1

I would add, that having access to the "undo /redo command" that Winbox (or ROS ?) holds with the last 3-5 entries
would be really helpful! This is already in the system, just need a way to make it available for user!!!

This would help not only for logging, but also being able to role back commands easily in case something don't work
and for keeping step by step trace of what changed.
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 :-) !!!
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 958
Joined: Fri May 26, 2006 1:25 am

Re: Feature Request: Logging of all administrator user actions

Sun May 26, 2019 11:43 pm

+1 - def need more detailed logging of admin actions, and maybe such that they can be written to the log (thus can go out over remote syslog) and so they will persist through router reboots (if the RB device supports NV memory).
tks
:beep :beep :beep
 
pe1chl
Forum Guru
Forum Guru
Posts: 5930
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Mon May 27, 2019 2:53 pm

+1 - def need more detailed logging of admin actions, and maybe such that they can be written to the log (thus can go out over remote syslog) and so they will persist through router reboots (if the RB device supports NV memory).
tks
But we do not want things like a log of the username used in failed logins!
Because when the user made an error, this field is often the PASSWORD of the login instead of username, and it appears in the log.
 
3liswaid
newbie
Posts: 44
Joined: Thu Feb 14, 2019 5:12 pm
Location: Syria
Contact:

Re: Feature Request: Logging of all administrator user actions

Mon May 27, 2019 4:19 pm

+1
it's very helpful to find such a log
 
CArdiles
just joined
Posts: 10
Joined: Fri Apr 07, 2017 11:00 pm

Re: Feature Request: Logging of all administrator user actions

Wed May 29, 2019 2:50 pm

Well, i think that something like..

"admin changed NAT Rule (5) value from src-address=x.x.x.x to src-address=x.x.x.x"
"admin changed NAT Rule (5) value from out-interface=ether1 to out-interface=ether2"

Could be insanely helpful to log, and by "5" i mean NAT rule number 5 on the chain

Of course, not only nat rules, but maybe IP address / Firewall / Routes values - i know that logging EVERYTHING might not be such a great idea, but sometimes is nice to have the option

Cheers!
 
mkx
Forum Guru
Forum Guru
Posts: 3223
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature Request: Logging of all administrator user actions

Wed May 29, 2019 3:54 pm

I'm sure you realize that rule numbers don't exist until you use print command and change if you use some additional filters with that command ... e.g. compare outputs of /ip firewall nat print and /ip firewall nat print chain=srcnat ...

So to make log lines really useful, they should contain full rule being changed (preferably the new one).

And similar considerations go with other commands.
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 5930
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Wed May 29, 2019 5:07 pm

Well, i think that something like..

"admin changed NAT Rule (5) value from src-address=x.x.x.x to src-address=x.x.x.x"
"admin changed NAT Rule (5) value from out-interface=ether1 to out-interface=ether2"

Could be insanely helpful to log, and by "5" i mean NAT rule number 5 on the chain

Of course, not only nat rules, but maybe IP address / Firewall / Routes values - i know that logging EVERYTHING might not be such a great idea, but sometimes is nice to have the option

Cheers!
That kind of implementation probably makes it more work and reduces the chance that it gets implemented.
I would suggest a more down-to-earth variant where it is just the literal commands that are logged (which unfortunately has the risks I mentioned above, passwords should probably be starred).
When you want detailed change reports you really should arrange for an automatic export of configuration into a versioning system.
E.g. I export all my configs into git and I use gitweb to make colored reports like what you have shown.
 
CArdiles
just joined
Posts: 10
Joined: Fri Apr 07, 2017 11:00 pm

Re: Feature Request: Logging of all administrator user actions

Wed May 29, 2019 7:15 pm

Yeah i know that going full bananas isn't the point either, but just a thought

Logging inputs are also helpful, and i know it should be easier to get it down to practice

About comparing exports with highlighted differences, i alredy have that going. It would be useful to have something like that locally on the device tho.
Last edited by CArdiles on Wed May 29, 2019 7:17 pm, edited 2 times in total.
 
sleerf
newbie
Posts: 27
Joined: Tue Sep 13, 2016 9:12 am

Re: Feature Request: Logging of all administrator user actions

Mon Sep 30, 2019 9:00 am

I would be thrilled if there was just a general notepad for admins to make notes of changes made.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5930
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Mon Sep 30, 2019 11:58 am

RouterOS already has a comment facility for almost any configuration item (which sets it apart from many many other routers!)
plus there is the "/system note" field where you can put multi-line notices. What more do you require?

Who is online

Users browsing this forum: Google [Bot] and 89 guests