Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions


10451 Views 4 Replies Latest reply: Apr 19, 2010 5:55 PM by Gods Son RSS

Currently Being Moderated

how do you monitor user login history in a router/switch

Apr 19, 2010 11:33 AM

Gods Son 21 posts since
Nov 21, 2008

Is there a way to monitor who logs into a local router? I know

show users and show line both give you similar detail however it does not show you the previous history of who logged in to the router. It just shows the currently logged in uses and how many times the line has been logged into.


How can I check the history – say time a user last logged into the router and who the user is? Thanks

  • CCBOOTCAMP - CCIE 228 posts since
    Sep 11, 2008

    Have you considered using a TACACS server? That would give you the information you're looking for.


    Brad Ellis


  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009


    Good day-


    We could use Embedded Event Manager for this locally on the router.  This will keep in its log file, everyone who goes into privileged mode, what IP address they came in from, their username (if they authenticated with a username), and the time they went into privileged mode.


    I labbed up a full example for you.   No external devices required.  Just the local router.  There are several options for this, so feel free to modify them to your liking.  Also make sure that the IOS in use supports EEM.


    The  documentation roadmap for EEM is here:



    I used the following gear:


    R5#show ver

    Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(24)T



    Using the EEM applet below, whenever anyone types in enable, it adds a syslog message including the user name, their IP address, and the time.  You may want to include requiring authentication on the console, if you want to force users to submit a username when connecting.



    I cleared the log, then configured as follows:


    clear log


    conf t

    logging buffered 7

    username bob password cisco


    event manager applet test2

    event cli pattern "enable" sync no skip no

    action 1 cli command "enable"

    action 2 cli command "show clock"

    action 3 syslog msg "$_cli_result"

    action 4 cli command "who"

    action 5 syslog msg "$_cli_result"


    line vty 0 4

    login local








    Trying ... Open



    User Access Verification


    Username: bob

    Password: cisco


    Password: cisco (configured earlier as the enable secret)

    R5#show log

    Syslog logging: enabled (0 messages dropped, 3 messages rate-limited,

                    0 flushes, 0 overruns, xml disabled, filtering disabled)


    <snip the boring stuff>


    %HA_EM-6-LOG: test2:

    17:31:23.850 UTC Mon Apr 19 2010


    %HA_EM-6-LOG: test2:

        Line       User       Host(s)              Idle       Location

       0 con 0                  00:00:00

    194 vty 0     bob        idle                 00:00:00

    *195 vty 1                idle                 00:00:00 EEM:test2


      Interface    User               Mode         Idle     Peer Address


    <this is the end of the syslog>


    Cool isn't it?


    For some tutorials on EEM, you may go here:




    Best wishes,




More Like This

  • Retrieving data ...

Bookmarked By (0)