Page 1 of 1

Log all console commands

Posted: Tue Oct 16, 2012 3:56 pm
by inten
Is it possible to log all console (serial/ssh/telnet) commands to syslog?

Re: Log all console commands  [SOLVED]

Posted: Tue Oct 16, 2012 3:58 pm
by normis
you can't log specific commands, but some actions can be seen in "sysem history" menu

Re: Log all console commands

Posted: Mon Oct 06, 2014 12:44 pm
by santa
Is there any possibility to implement such a feature? It could be useful in environments where you have to log all user/administrator actions, for example financial institutions.

Re: Log all console commands

Posted: Mon Oct 06, 2014 7:39 pm
by patrikg
And for security reasons, you can see if any hackers been in your router.
If you log into a syslog server.

Re: Log all console commands

Posted: Sun Nov 09, 2014 5:31 pm
by santa
Let's be honest. Possibility to log user actions done on device is a must for any product created for business usage. Mikrotik should also implement such feature. All actions go to standard LOG, then we can forward this information to remote and secure syslog machine.

Re: Log all console commands

Posted: Mon Nov 10, 2014 2:59 pm
by normis
Like I said, it is in the "/system history" menu. What we don't have is some sort of keylogger that above poster asked for

Re: Log all console commands

Posted: Mon Nov 10, 2014 6:03 pm
by santa
Yes, I understand, but it is useless when you want to use it for auditing your devices (or employees).

For example, when I add address for an interface:
ip address add interface=ether3 address=192.168.10.1/24
I will get only:
U action="address added" by="admin" policy=write time=nov/10/2014 15:40:32
Another example, if I disable firewall rule, I will get only:
U action="filter rule changed" by="admin" policy=write time=nov/10/2014 15:46:50
What we are talking here is to have a possibility to just log a command to standard log (what we can forward to remote syslog server). I don't know if it's possible when we use WinBox, not CLI (but I believe it is). Just take a look at Cisco, how they do that. Every command goes to log (not every keystroke but command).

There are some security standards, the company have to be compliant with. One of them is PCI DSS: http://en.wikipedia.org/wiki/Payment_Ca ... y_Standard. One of the requirements in this standard is to log all actions taken by any individual with root or administrative privileges. The easiest way to achieve that is just logging every command.

OK, we can live without it, it's obvious. But if RouterOS have this feature implemented, it will be possible to use your devices in larger range of organizations (especially in those compliant with mentioned security standards).

Re: Log all console commands

Posted: Tue Feb 14, 2017 8:06 am
by Splash
I'd like to revive this post...

There must be a way that Mikrotik adds support to log configuration changes. When you have 1000's of devices all logging to a remove syslog server the generic historical events are pretty useless since it just says that a change was made. As with Cisco, Juniper and a host of other network devices, the ability to log the configuration changes to a syslog server is critical in today's security conscious age. In its current implementation Mikrotik, I would say the information being logged is too generic and mostly irrelevant.

Ie... route changed....
So out of the 500 routes, 1 of them was modified.....the only way to find out which one is to have the configuration collected and imported in to a revision control system to do the compares. On busy routers it would need to be done every 5 min to make it useful :(

Another missing component is having the ability to send an snmp trap informing a remote system a config item was changed so that a remote configuration backup can be made at that point in time.

Thoughts?

Re: Log all console commands

Posted: Mon Apr 24, 2017 10:30 am
by Splash
Could I bump this up!

Re: Log all console commands

Posted: Tue Aug 15, 2017 6:58 am
by alex1
Folks,

I'd like to rise the question again. I see few similar questions (37069, 62183, etc) without an answer. I'm looking for a way to log/account issued commands and tried to enable "account" facility logging, but it didn't help much.

1. Is there any way in current RouterOS version to log at least CLI activity?
2. Where I can find a list of all the log messages (with associated topics) that RouterOS can generate?
3. Does RouterOS support RADIUS command accounting?

Thanks.

Re: Log all console commands

Posted: Tue Aug 15, 2017 8:04 am
by otgooneo
+1. This is something really needed especially in case of routeros as a firewall/gateway of financial services.

Re: Log all console commands

Posted: Tue Aug 15, 2017 8:13 am
by normis
Guys, the question is already answered above. Why keep asking the same?

Re: Log all console commands

Posted: Tue Aug 15, 2017 8:56 am
by Jotne
+1
They are asking for a syslog solution. That is why its asked again.
This is also some I like.

Take a look at what I using in the cisco switch/routers:
event manager applet CLIaccounting
 event cli pattern ".*" sync no skip no
 action 1.0 syslog priority informational msg "$_cli_msg"
 action 2.0 set _exit_status "1"
This will send all commands to syslog, not only config commands.
"show running" is logged. Every thing you writhe and hit enter is logged.
Since web-gui also sends just commands to the Cisco, they are logged as well.

Re: Log all console commands

Posted: Tue Aug 15, 2017 10:10 am
by normis
Feature request is different from "is there a way to do this now?"
No there isn't. Feature request noted.

Re: Log all console commands

Posted: Tue Aug 15, 2017 10:43 am
by otgooneo
Feature request is different from "is there a way to do this now?"
No there isn't. Feature request noted.
Thank you Normis.

Re: Log all console commands

Posted: Wed Aug 16, 2017 12:50 am
by alex1
2. Where I can find a list of all the log messages (with associated topics) that RouterOS can generate?
3. Does RouterOS support RADIUS command accounting?
Folks, my I have these questions answered please?

Thanks.

Re: Log all console commands

Posted: Wed Sep 06, 2017 10:26 am
by Splash
Feature request is different from "is there a way to do this now?"
No there isn't. Feature request noted.
The main basis for this is to track changes. At the moment I parse the configuration export with the /system history option to tie up what changes were made to a configuration and by whom. This isnt ideal, but seems to provide some verbosity. Moving forward this is something that needs serious consideration as the currently history is pretty useless as its far too generic.

eg. Route added, device changed etc.

Re: Log all console commands

Posted: Wed Apr 04, 2018 7:41 am
by jo2jo
+1 pls

Re: Log all console commands

Posted: Wed Apr 04, 2018 9:46 am
by Jotne
Just to show what the /system history log that Normis mention.
 [jotne@master-gw] /system history> print detail 
Flags: U - undoable, R - redoable, F - floating-undo 
 U action="log rule changed" by="jotne" policy=write time=apr/02/2018 18:41:33 
 U action="log rule changed" by="jotne" policy=write time=apr/02/2018 18:39:58 
 U action="log rule changed" by="jotne" policy=write time=apr/02/2018 18:39:55 
 U action="log rule added" by="jotne" policy=write time=apr/02/2018 18:39:41 
 U action="static dns entry changed" by="jotne" policy=write time=mar/30/2018 08:15:49 
It does only show that a user has done something to the rules, but not what command has been run.

So for sure this is a big request to make RouterOS more secure.
:D :D :D :D :D :D

PS
Question is:
Is it possible to log all console (serial/ssh/telnet) commands to syslog?
Answer: It does not log any commands that has been run, so please remove solved from topic.

Re: Log all console commands

Posted: Wed Apr 04, 2018 10:03 am
by Jotne
1. Is there any way in current RouterOS version to log at least CLI activity?
2. Where I can find a list of all the log messages (with associated topics) that RouterOS can generate?
3. Does RouterOS support RADIUS command accounting?
1. No
2. Has not been posted.
Som log information found here: https://wiki.mikrotik.com/wiki/Manual:System/Log
It is also a big mess without any good system,see more here: viewtopic.php?f=2&t=124291
3. Not that I know about.

Re: Log all console commands

Posted: Wed Apr 04, 2018 10:42 am
by Splash
I wonder if there is a way to motivate Mikrotik to assist with this, or to provide a technical reason why it can't be done?

Re: Log all console commands

Posted: Wed Apr 04, 2018 2:09 pm
by squeeze
Impressive six year thread for a feature that appears almost trivial for Mikrotik compared to direct competitors (*) and would instantly increase their popularity with businesses scaling up and larger enterprises ...

How strange to ignore such an easy win when they have already done 90% of the leg work!

(*) It is just a change replay as commands wherever commands are not directly entered via the Terminal shell. So, this has nothing to do with keyloggers whatsoever. It is also much easier for Mikrotik than other direct competitors because all their user interfaces are clearly just a subset of their Command Line Interface.

Re: Log all console commands

Posted: Fri Jul 06, 2018 11:03 am
by otorehageni
+1 need this feature

Re: Log all console commands

Posted: Mon Aug 20, 2018 6:26 pm
by Jotne
I just bump this up so it will not be forgotten by the MikroTik team.

Getting all command logged and send to syslog would help a lot in to case where RouterOS is compromised.
Would be easy to roll back commands that has been entered.

There has been several cases lately where router get hacked trough WinBox.
User upgrades to new software and change password.
Some days later he get hacked again, since some code was added.

So.
Please MikroTik add this function.

Re: Log all console commands

Posted: Mon Aug 20, 2018 10:24 pm
by upnort
I am planning a remote logging server that will include our Mikrotik devices. I too am interested in more verbosity and granularity with logs. :)

Re: Log all console commands

Posted: Mon Aug 20, 2018 10:37 pm
by Jotne
Look at my project here for logging.

viewtopic.php?t=137338

Getting all commands executed into Splunk would be a great +

Re: Log all console commands

Posted: Mon Aug 19, 2019 2:29 am
by AlexS
Hi

Has this been done / implemented

Re: Log all console commands

Posted: Mon Aug 19, 2019 11:04 pm
by Splash
Hi

Has this been done / implemented
Nope