I am trying to make a search/alert for every time someone tries to access the configuration terminal on the cisco routers to make changes. I want to know who tries to enter conf t command and if they were successful or not, and if possible what changes are made.
I have made the below search where I am searching for either the "conf t" or the "configuration terminal" command showing up in the log. Then I want to know if it is authenticated or not and if the action is failure or successful. After I have got that i want to pull the user name and the time stamp. The search below is not working so I don't know what I should add more. Any tips?
sourcetype="cisco:*" "conf t" "configure terminal" | search tag!=success tag=authentication action=failure OR message_id=605005 | bucket _time span=1h | stats count by user, _time
Thanks in advance.
Just tested this on a Cisco switch. When I issue enable to go into enable mode I get the following log messages:
Feb 5 11:21:07.529: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by mibj on vty0 (1.1.1.1)
Feb 5 11:21:07.529: %PARSER-5-CFGLOG_LOGGEDCMD: User:mibj logged command:!exec: enable
This indicates that I have successfully entered enable mode and can do configure commands.
When I issue a configure terminal I get the following log message:
Feb 5 10:30:53 loc-100-110786-sw-01.example.com 698: Feb 5 10:30:52.914: %SYS-5-CONFIG_I: Configured from console by mibj on vty0 (1.1.1.1)
So the logic is that you need to be in enable mode to be able to do configure terminal. This is the default behaviour of the device.
However, if you are in router/disable mode and attempt to do an enable but are unsuccessful, i.e. because your password is wrong you will see the following:
Feb 5 11:27:53.630: %PARSER-5-CFGLOG_LOGGEDCMD: User:mibj logged command:!exec: enable failed
There is no way to check if configure terminal is successful, but you can check if enable is successful with this method. This constitutes the following configuration on your device to properly log these messages:
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
!
login on-failure log
login on-success log
logging userinfo
Just tested this on a Cisco switch. When I issue enable to go into enable mode I get the following log messages:
Feb 5 11:21:07.529: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by mibj on vty0 (1.1.1.1)
Feb 5 11:21:07.529: %PARSER-5-CFGLOG_LOGGEDCMD: User:mibj logged command:!exec: enable
This indicates that I have successfully entered enable mode and can do configure commands.
When I issue a configure terminal I get the following log message:
Feb 5 10:30:53 loc-100-110786-sw-01.example.com 698: Feb 5 10:30:52.914: %SYS-5-CONFIG_I: Configured from console by mibj on vty0 (1.1.1.1)
So the logic is that you need to be in enable mode to be able to do configure terminal. This is the default behaviour of the device.
However, if you are in router/disable mode and attempt to do an enable but are unsuccessful, i.e. because your password is wrong you will see the following:
Feb 5 11:27:53.630: %PARSER-5-CFGLOG_LOGGEDCMD: User:mibj logged command:!exec: enable failed
There is no way to check if configure terminal is successful, but you can check if enable is successful with this method. This constitutes the following configuration on your device to properly log these messages:
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
!
login on-failure log
login on-success log
logging userinfo
Thanks, The example logs help a lot. 🙂
You're welcome. Accepting the answer or upvoting it is the best way to thank me 🙂
Oh, and I believe the search you used should be changed to the following if you want to pursue this by not relying on other apps:
sourcetype="cisco:*" "conf t" OR "configure terminal" | search tag!=success tag=authentication action=failure OR message_id=605005 | bucket _time span=1h | stats count by user, _time
Notice the OR I added. AND is implicit but OR must be specified since I believe you either want to search for "conf t" OR "configure terminal", not an event containing both strings 🙂
Yea I also tried that it still doesn't output anything. Im not sure if the logic or query is wrong.
Have you seen the Cisco Networks app and Cisco Networks add-on? There's several dashboards there that you can use as a basis for this kind of report. They're available at apps.splunk.com. See "Auditing - Configuration change transactions" in the app to get an example 🙂