Is it possible to log all console (serial/ssh/telnet) commands to syslog?

you can't log specific commands, but some actions can be seen in "sysem history" menu

Is there any possibility to implement such a feature? It could be useful in environments where you have to log all user/administrator actions, for example financial institutions.

And for security reasons, you can see if any hackers been in your router.
If you log into a syslog server.

Let's be honest. Possibility to log user actions done on device is a must for any product created for business usage. Mikrotik should also implement such feature. All actions go to standard LOG, then we can forward this information to remote and secure syslog machine.

Like I said, it is in the "/system history" menu. What we don't have is some sort of keylogger that above poster asked for

Yes, I understand, but it is useless when you want to use it for auditing your devices (or employees).

For example, when I add address for an interface:

ip address add interface=ether3 address=192.168.10.1/24

I will get only:

U action="address added" by="admin" policy=write time=nov/10/2014 15:40:32

Another example, if I disable firewall rule, I will get only:

U action="filter rule changed" by="admin" policy=write time=nov/10/2014 15:46:50

What we are talking here is to have a possibility to just log a command to standard log (what we can forward to remote syslog server). I don't know if it's possible when we use WinBox, not CLI (but I believe it is). Just take a look at Cisco, how they do that. Every command goes to log (not every keystroke but command).

There are some security standards, the company have to be compliant with. One of them is PCI DSS: http://en.wikipedia.org/wiki/Payment_Ca ... y_Standard. One of the requirements in this standard is to log all actions taken by any individual with root or administrative privileges. The easiest way to achieve that is just logging every command.

OK, we can live without it, it's obvious. But if RouterOS have this feature implemented, it will be possible to use your devices in larger range of organizations (especially in those compliant with mentioned security standards).

I'd like to revive this post...

There must be a way that Mikrotik adds support to log configuration changes. When you have 1000's of devices all logging to a remove syslog server the generic historical events are pretty useless since it just says that a change was made. As with Cisco, Juniper and a host of other network devices, the ability to log the configuration changes to a syslog server is critical in today's security conscious age. In its current implementation Mikrotik, I would say the information being logged is too generic and mostly irrelevant.

Ie... route changed....
So out of the 500 routes, 1 of them was modified.....the only way to find out which one is to have the configuration collected and imported in to a revision control system to do the compares. On busy routers it would need to be done every 5 min to make it useful

Another missing component is having the ability to send an snmp trap informing a remote system a config item was changed so that a remote configuration backup can be made at that point in time.

Thoughts?

Could I bump this up!

Folks,

I'd like to rise the question again. I see few similar questions (37069, 62183, etc) without an answer. I'm looking for a way to log/account issued commands and tried to enable "account" facility logging, but it didn't help much.

1. Is there any way in current RouterOS version to log at least CLI activity?
2. Where I can find a list of all the log messages (with associated topics) that RouterOS can generate?
3. Does RouterOS support RADIUS command accounting?

Thanks.

+1. This is something really needed especially in case of routeros as a firewall/gateway of financial services.

Guys, the question is already answered above. Why keep asking the same?

+1
They are asking for a syslog solution. That is why its asked again.
This is also some I like.

Take a look at what I using in the cisco switch/routers: This will send all commands to syslog, not only config commands.
"show running" is logged. Every thing you writhe and hit enter is logged.
Since web-gui also sends just commands to the Cisco, they are logged as well.

Feature request is different from "is there a way to do this now?"
No there isn't. Feature request noted.

Feature request is different from "is there a way to do this now?"
No there isn't. Feature request noted.

Thank you Normis.

2. Where I can find a list of all the log messages (with associated topics) that RouterOS can generate?
3. Does RouterOS support RADIUS command accounting?

Folks, my I have these questions answered please?

Thanks.

Feature request is different from "is there a way to do this now?"
No there isn't. Feature request noted.

The main basis for this is to track changes. At the moment I parse the configuration export with the /system history option to tie up what changes were made to a configuration and by whom. This isnt ideal, but seems to provide some verbosity. Moving forward this is something that needs serious consideration as the currently history is pretty useless as its far too generic.

eg. Route added, device changed etc.

+1 pls

Just to show what the /system history log that Normis mention.
It does only show that a user has done something to the rules, but not what command has been run.

So for sure this is a big request to make RouterOS more secure.


PS
Question is:
Is it possible to log all console (serial/ssh/telnet) commands to syslog?
Answer: It does not log any commands that has been run, so please remove solved from topic.

1. Is there any way in current RouterOS version to log at least CLI activity?
2. Where I can find a list of all the log messages (with associated topics) that RouterOS can generate?
3. Does RouterOS support RADIUS command accounting?

1. No
2. Has not been posted.
Som log information found here: https://wiki.mikrotik.com/wiki/Manual:System/Log
It is also a big mess without any good system,see more here: viewtopic.php?f=2&t=124291
3. Not that I know about.

I wonder if there is a way to motivate Mikrotik to assist with this, or to provide a technical reason why it can't be done?

Impressive six year thread for a feature that appears almost trivial for Mikrotik compared to direct competitors (*) and would instantly increase their popularity with businesses scaling up and larger enterprises ...

How strange to ignore such an easy win when they have already done 90% of the leg work!

(*) It is just a change replay as commands wherever commands are not directly entered via the Terminal shell. So, this has nothing to do with keyloggers whatsoever. It is also much easier for Mikrotik than other direct competitors because all their user interfaces are clearly just a subset of their Command Line Interface.

+1 need this feature

I just bump this up so it will not be forgotten by the MikroTik team.

Getting all command logged and send to syslog would help a lot in to case where RouterOS is compromised.
Would be easy to roll back commands that has been entered.

There has been several cases lately where router get hacked trough WinBox.
User upgrades to new software and change password.
Some days later he get hacked again, since some code was added.

So.
Please MikroTik add this function.

I am planning a remote logging server that will include our Mikrotik devices. I too am interested in more verbosity and granularity with logs.

Look at my project here for logging.

viewtopic.php?t=137338

Getting all commands executed into Splunk would be a great +

Hi

Has this been done / implemented

Hi

Has this been done / implemented

Nope