Is there a way to monitor who logs into a local router? I know
show users and show line both give you similar detail however it does not show you the previous history of who logged in to the router. It just shows the currently logged in uses and how many times the line has been logged into.
How can I check the history – say time a user last logged into the router and who the user is? Thanks
Agreed but Its just a small lab router. So i was considering something that can be implemented on a local router.
We could use Embedded Event Manager for this locally on the router. This will keep in its log file, everyone who goes into privileged mode, what IP address they came in from, their username (if they authenticated with a username), and the time they went into privileged mode.
I labbed up a full example for you. No external devices required. Just the local router. There are several options for this, so feel free to modify them to your liking. Also make sure that the IOS in use supports EEM.
The documentation roadmap for EEM is here: http://www.cisco.com/en/US/partner/docs/ios/netmgmt/configuration/guide/netmgmt_eem_roadmap.html
I used the following gear:
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(24)T
Using the EEM applet below, whenever anyone types in enable, it adds a syslog message including the user name, their IP address, and the time. You may want to include requiring authentication on the console, if you want to force users to submit a username when connecting.
I cleared the log, then configured as follows:
logging buffered 7
username bob password cisco
event manager applet test2
event cli pattern "enable" sync no skip no
action 1 cli command "enable"
action 2 cli command "show clock"
action 3 syslog msg "$_cli_result"
action 4 cli command "who"
action 5 syslog msg "$_cli_result"
line vty 0 4
Trying 188.8.131.52 ... Open
User Access Verification
Password: cisco (configured earlier as the enable secret)
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
<snip the boring stuff>
17:31:23.850 UTC Mon Apr 19 2010
Line User Host(s) Idle Location
0 con 0 184.108.40.206 00:00:00
194 vty 0 bob idle 00:00:00 220.127.116.11
*195 vty 1 idle 00:00:00 EEM:test2
Interface User Mode Idle Peer Address
<this is the end of the syslog>
Cool isn't it?
For some tutorials on EEM, you may go here:
Much appreciated Keith. Will try this out