Community discussions

MikroTik App
 
petern
newbie
Topic Author
Posts: 26
Joined: Wed Dec 13, 2017 5:58 pm

Feature Request: Logging of all administrator user actions

Tue Feb 20, 2018 6:11 pm

Hi,

Please could we have full command logging (with sensitive information preferably hidden) of actions performed by administrators.
The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed.
[This is not a key logger! ;-)]

PCI DSS Requirements
10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.2.2 All actions taken by any individual with root or administrative privileges
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 14, 2014 9:09 pm

Re: Feature Request: Logging of all administrator user actions

Fri Feb 23, 2018 9:06 am

+1
current logging isnot useful. especially for large installations needed.
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: Feature Request: Logging of all administrator user actions

Sun Apr 01, 2018 7:07 am

Plus 1 - I agree, even detail blogginglogging for even one admin user would be very useful and helpful (Ie more than the current logging of “firewall rule changed “would be helpful, Best would be exact print out of rule change from X to Y ) .
 
artie11
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Sun Feb 20, 2011 12:08 pm

Re: Feature Request: Logging of all administrator user actions

Sat Apr 14, 2018 3:58 am

+1, Would really help as we ship logs for central processing.
 
dcosgrove
just joined
Posts: 9
Joined: Fri Nov 16, 2012 7:05 am

Re: Feature Request: Logging of all administrator user actions

Sat Apr 14, 2018 6:12 am

+1 for tacacs
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature Request: Logging of all administrator user actions

Sun Apr 15, 2018 3:20 pm

The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed.
[This is not a key logger! ;-)]
while i do support this, especially if it also affects entries in /system history, it has some challenges.
can i suppose all "sensitive" stuff should be also logged, but not revealed to everybody? this could still lead to leaks.
so if the "verbose" (command accounting type) command/change logging will be implemented, i would strongly advocate to not to log sensitive information (password, key, secret).

also absolute device/rule references may not be as easy as they seem for the first glimpse. universal internal IDs (as in API) could be valid between reboots, but would hardly reveal any useful reference for the operator.
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature Request: Logging of all administrator user actions

Sun Apr 15, 2018 3:21 pm

and i'll say not just "administrator" but all user actions.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Sun Apr 15, 2018 3:33 pm

Possibly easiest is to send logs to some external syslog service that has a trigger script that after some change has
been made (or maybe after a couple of changes and some dead time) retrieves the /export from the device and stores
it in a versioning system. That is useful to have anyway as a backup, and can be used to see the changes that were made.
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature Request: Logging of all administrator user actions

Sun Apr 15, 2018 6:28 pm

retrieves the /export from the device and stores it in a versioning system. That is useful to have anyway as a backup, and can be used to see the changes that were made.
we do this already, in 5 minute intervals if change is detected, and in 24 hour intervals regardless of there was any change or not, just to make sure, we have at least daily backups.

this however opens up another question: why /export doesn't contain all configuration elements (certificates, user passwords, ssh-keys)
i've raised this story multiple times with support, but so far there was no real progress in these field.
 
ThatMorneGuy
just joined
Posts: 4
Joined: Tue May 08, 2018 1:40 pm

Re: Feature Request: Logging of all administrator user actions

Fri Mar 15, 2019 1:48 pm

+1 for me as well
 
WeWiNet
Long time Member
Long time Member
Posts: 591
Joined: Thu Sep 27, 2018 4:11 pm

Re: Feature Request: Logging of all administrator user actions

Fri Mar 15, 2019 5:24 pm

+1

I would add, that having access to the "undo /redo command" that Winbox (or ROS ?) holds with the last 3-5 entries
would be really helpful! This is already in the system, just need a way to make it available for user!!!

This would help not only for logging, but also being able to role back commands easily in case something don't work
and for keeping step by step trace of what changed.
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: Feature Request: Logging of all administrator user actions

Sun May 26, 2019 11:43 pm

+1 - def need more detailed logging of admin actions, and maybe such that they can be written to the log (thus can go out over remote syslog) and so they will persist through router reboots (if the RB device supports NV memory).
tks
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Mon May 27, 2019 2:53 pm

+1 - def need more detailed logging of admin actions, and maybe such that they can be written to the log (thus can go out over remote syslog) and so they will persist through router reboots (if the RB device supports NV memory).
tks
But we do not want things like a log of the username used in failed logins!
Because when the user made an error, this field is often the PASSWORD of the login instead of username, and it appears in the log.
 
3liswaid
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu Feb 14, 2019 5:12 pm
Location: Syria
Contact:

Re: Feature Request: Logging of all administrator user actions

Mon May 27, 2019 4:19 pm

+1
it's very helpful to find such a log
 
User avatar
CArdiles
just joined
Posts: 10
Joined: Fri Apr 07, 2017 11:00 pm
Location: Argentina

Re: Feature Request: Logging of all administrator user actions

Wed May 29, 2019 2:50 pm

Well, i think that something like..

"admin changed NAT Rule (5) value from src-address=x.x.x.x to src-address=x.x.x.x"
"admin changed NAT Rule (5) value from out-interface=ether1 to out-interface=ether2"

Could be insanely helpful to log, and by "5" i mean NAT rule number 5 on the chain

Of course, not only nat rules, but maybe IP address / Firewall / Routes values - i know that logging EVERYTHING might not be such a great idea, but sometimes is nice to have the option

Cheers!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature Request: Logging of all administrator user actions

Wed May 29, 2019 3:54 pm

I'm sure you realize that rule numbers don't exist until you use print command and change if you use some additional filters with that command ... e.g. compare outputs of /ip firewall nat print and /ip firewall nat print chain=srcnat ...

So to make log lines really useful, they should contain full rule being changed (preferably the new one).

And similar considerations go with other commands.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Wed May 29, 2019 5:07 pm

Well, i think that something like..

"admin changed NAT Rule (5) value from src-address=x.x.x.x to src-address=x.x.x.x"
"admin changed NAT Rule (5) value from out-interface=ether1 to out-interface=ether2"

Could be insanely helpful to log, and by "5" i mean NAT rule number 5 on the chain

Of course, not only nat rules, but maybe IP address / Firewall / Routes values - i know that logging EVERYTHING might not be such a great idea, but sometimes is nice to have the option

Cheers!
That kind of implementation probably makes it more work and reduces the chance that it gets implemented.
I would suggest a more down-to-earth variant where it is just the literal commands that are logged (which unfortunately has the risks I mentioned above, passwords should probably be starred).
When you want detailed change reports you really should arrange for an automatic export of configuration into a versioning system.
E.g. I export all my configs into git and I use gitweb to make colored reports like what you have shown.
 
User avatar
CArdiles
just joined
Posts: 10
Joined: Fri Apr 07, 2017 11:00 pm
Location: Argentina

Re: Feature Request: Logging of all administrator user actions

Wed May 29, 2019 7:15 pm

Yeah i know that going full bananas isn't the point either, but just a thought

Logging inputs are also helpful, and i know it should be easier to get it down to practice

About comparing exports with highlighted differences, i alredy have that going. It would be useful to have something like that locally on the device tho.
Last edited by CArdiles on Wed May 29, 2019 7:17 pm, edited 2 times in total.
 
sleerf
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Sep 13, 2016 9:12 am

Re: Feature Request: Logging of all administrator user actions

Mon Sep 30, 2019 9:00 am

I would be thrilled if there was just a general notepad for admins to make notes of changes made.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Mon Sep 30, 2019 11:58 am

RouterOS already has a comment facility for almost any configuration item (which sets it apart from many many other routers!)
plus there is the "/system note" field where you can put multi-line notices. What more do you require?
 
ozairakhlaq
just joined
Posts: 24
Joined: Fri Mar 16, 2018 11:34 am

Re: Feature Request: Logging of all administrator user actions

Wed Mar 11, 2020 12:42 pm

whick logging option generates 'User password was changed' kind of log?
 
User avatar
macsrwe
Forum Guru
Forum Guru
Posts: 1007
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: Feature Request: Logging of all administrator user actions

Mon Mar 16, 2020 9:49 pm

we do this already, in 5 minute intervals if change is detected

I am curious... given the nearly nonexistent support of file contents availability in the command language, how do you detect a configuration change?
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature Request: Logging of all administrator user actions

Mon Mar 16, 2020 10:58 pm

I am curious... given the nearly nonexistent support of file contents availability in the command language, how do you detect a configuration change?
parsing the syslog that arrives on the remote server helps a lot. added/removed/changed messages indicate something has happened. i also like to trigger the upload upon each boot - this might follow a 'system backup load' or a software upgrade.

the other - push like approach - can be done by monitoring the data in /system history and trigger the appropriate events if things change (new lines, undo/redo status changes)
 
sleerf
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Sep 13, 2016 9:12 am

Re: Feature Request: Logging of all administrator user actions

Tue Apr 06, 2021 9:10 am

What I'm suggesting is a "changelog" where a running log of changes can be kept over the long term. As it is, the log runs out after a couple weeks and the data in it I like to see when there is a problem. But to scroll through 10,000 lines of code to see what changes have been made over the last 2 weeks and nothing available beforehand would be very nice. As it is, we have whomever is making changes update a changelog in onedrive but it would be a lot more useful if it was just available inside the router and I can't imaging it would be that difficult to implement.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Tue Apr 06, 2021 11:42 am

Again, read back the topic, there are ways to achieve that using scripting. Watch the log or history for events and when they occur, export the config and send it to some versioning system like git. Then you can use whatever beautiful reviewing system you like. E.g. with gitweb you can easily point at two different versions and show the diff between them in color (red=removed green=added).
 
junior013
just joined
Posts: 4
Joined: Thu Jun 08, 2017 10:42 am

Re: Feature Request: Logging of all administrator user actions

Wed Nov 16, 2022 3:55 pm

I know this is an old thread, but I want to renew the audit log request.
A full detailed admin command logging can be useful not only for audit purposes, but to keep configurations in sync in multi device HA installations. The session command log of device A can be pushed to device B to make the same changes in the - for example, firewall or user db - config.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Wed Nov 16, 2022 5:02 pm

More detail is already available via the "/system history" command. However, it is not complete enough to synchronize routers with it.
 
raheelfida
just joined
Posts: 1
Joined: Thu Nov 30, 2023 7:10 am

Re: Feature Request: Logging of all administrator user actions

Thu Nov 30, 2023 7:12 am

This feature is now available , and active by default ,
Router OS v7.12.1
filter rule changed by winbox-3.40/tcp-msg(winbox):username@xx.xx.xx.xx (/ip firewall filter set *1 action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no log=no log-prefix=invalid_)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Logging of all administrator user actions

Thu Nov 30, 2023 11:16 am

Yes indeed, the situation has improved a lot!
It is now possible to log at least the majority of every config change to an external system, at least for auditing purposes.
It still isn't complete enough to be able to synchronize routers (by doing the same change on a standby router) or to undo any change made, but it is a good step forward.

Who is online

Users browsing this forum: baragoon, FranMercedesG, GoogleOther [Bot], Knapek, korg, Soleous75 and 74 guests