Alerting

How to set up an alert every time someone tries to access the configuration terminal on cisco routers to make changes?

majidlodhi
Explorer

I am trying to make a search/alert for every time someone tries to access the configuration terminal on the cisco routers to make changes. I want to know who tries to enter conf t command and if they were successful or not, and if possible what changes are made.

I have made the below search where I am searching for either the "conf t" or the "configuration terminal" command showing up in the log. Then I want to know if it is authenticated or not and if the action is failure or successful. After I have got that i want to pull the user name and the time stamp. The search below is not working so I don't know what I should add more. Any tips?

sourcetype="cisco:*" "conf t" "configure terminal" | search tag!=success tag=authentication action=failure OR message_id=605005 | bucket _time span=1h | stats count by user, _time

Thanks in advance.

0 Karma
1 Solution

mikaelbje
Motivator

Just tested this on a Cisco switch. When I issue enable to go into enable mode I get the following log messages:

Feb  5 11:21:07.529: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by mibj on vty0 (1.1.1.1)
Feb  5 11:21:07.529: %PARSER-5-CFGLOG_LOGGEDCMD: User:mibj  logged command:!exec: enable

This indicates that I have successfully entered enable mode and can do configure commands.

When I issue a configure terminal I get the following log message:

Feb  5 10:30:53 loc-100-110786-sw-01.example.com 698: Feb  5 10:30:52.914: %SYS-5-CONFIG_I: Configured from console by mibj on vty0 (1.1.1.1)

So the logic is that you need to be in enable mode to be able to do configure terminal. This is the default behaviour of the device.

However, if you are in router/disable mode and attempt to do an enable but are unsuccessful, i.e. because your password is wrong you will see the following:

Feb  5 11:27:53.630: %PARSER-5-CFGLOG_LOGGEDCMD: User:mibj  logged command:!exec: enable failed

There is no way to check if configure terminal is successful, but you can check if enable is successful with this method. This constitutes the following configuration on your device to properly log these messages:

archive
 log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
!
login on-failure log
login on-success log
logging userinfo

View solution in original post

mikaelbje
Motivator

Just tested this on a Cisco switch. When I issue enable to go into enable mode I get the following log messages:

Feb  5 11:21:07.529: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by mibj on vty0 (1.1.1.1)
Feb  5 11:21:07.529: %PARSER-5-CFGLOG_LOGGEDCMD: User:mibj  logged command:!exec: enable

This indicates that I have successfully entered enable mode and can do configure commands.

When I issue a configure terminal I get the following log message:

Feb  5 10:30:53 loc-100-110786-sw-01.example.com 698: Feb  5 10:30:52.914: %SYS-5-CONFIG_I: Configured from console by mibj on vty0 (1.1.1.1)

So the logic is that you need to be in enable mode to be able to do configure terminal. This is the default behaviour of the device.

However, if you are in router/disable mode and attempt to do an enable but are unsuccessful, i.e. because your password is wrong you will see the following:

Feb  5 11:27:53.630: %PARSER-5-CFGLOG_LOGGEDCMD: User:mibj  logged command:!exec: enable failed

There is no way to check if configure terminal is successful, but you can check if enable is successful with this method. This constitutes the following configuration on your device to properly log these messages:

archive
 log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
!
login on-failure log
login on-success log
logging userinfo

View solution in original post

majidlodhi
Explorer

Thanks, The example logs help a lot. 🙂

mikaelbje
Motivator

You're welcome. Accepting the answer or upvoting it is the best way to thank me 🙂

mikaelbje
Motivator

Oh, and I believe the search you used should be changed to the following if you want to pursue this by not relying on other apps:

sourcetype="cisco:*" "conf t" OR "configure terminal" | search tag!=success tag=authentication action=failure OR message_id=605005 | bucket _time span=1h | stats count by user, _time

Notice the OR I added. AND is implicit but OR must be specified since I believe you either want to search for "conf t" OR "configure terminal", not an event containing both strings 🙂

0 Karma

majidlodhi
Explorer

Yea I also tried that it still doesn't output anything. Im not sure if the logic or query is wrong.

0 Karma

mikaelbje
Motivator

Have you seen the Cisco Networks app and Cisco Networks add-on? There's several dashboards there that you can use as a basis for this kind of report. They're available at apps.splunk.com. See "Auditing - Configuration change transactions" in the app to get an example 🙂