Hi,

Please could we have full command logging (with sensitive information preferably hidden) of actions performed by administrators.
The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed.
[This is not a key logger! ]

PCI DSS Requirements
10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.2.2 All actions taken by any individual with root or administrative privileges

+1
current logging isnot useful. especially for large installations needed.

Plus 1 - I agree, even detail blogginglogging for even one admin user would be very useful and helpful (Ie more than the current logging of “firewall rule changed “would be helpful, Best would be exact print out of rule change from X to Y ) .

+1, Would really help as we ship logs for central processing.

+1 for tacacs

The currently implemented audit logging of messages (e.g. "device changed by user") is not really useful for determining what was changed.
[This is not a key logger! ]

while i do support this, especially if it also affects entries in /system history, it has some challenges.
can i suppose all "sensitive" stuff should be also logged, but not revealed to everybody? this could still lead to leaks.
so if the "verbose" (command accounting type) command/change logging will be implemented, i would strongly advocate to not to log sensitive information (password, key, secret).

also absolute device/rule references may not be as easy as they seem for the first glimpse. universal internal IDs (as in API) could be valid between reboots, but would hardly reveal any useful reference for the operator.

and i'll say not just "administrator" but all user actions.

Possibly easiest is to send logs to some external syslog service that has a trigger script that after some change has
been made (or maybe after a couple of changes and some dead time) retrieves the /export from the device and stores
it in a versioning system. That is useful to have anyway as a backup, and can be used to see the changes that were made.

retrieves the /export from the device and stores it in a versioning system. That is useful to have anyway as a backup, and can be used to see the changes that were made.

we do this already, in 5 minute intervals if change is detected, and in 24 hour intervals regardless of there was any change or not, just to make sure, we have at least daily backups.

this however opens up another question: why /export doesn't contain all configuration elements (certificates, user passwords, ssh-keys)
i've raised this story multiple times with support, but so far there was no real progress in these field.

+1 for me as well

+1

I would add, that having access to the "undo /redo command" that Winbox (or ROS ?) holds with the last 3-5 entries
would be really helpful! This is already in the system, just need a way to make it available for user!!!

This would help not only for logging, but also being able to role back commands easily in case something don't work
and for keeping step by step trace of what changed.

+1 - def need more detailed logging of admin actions, and maybe such that they can be written to the log (thus can go out over remote syslog) and so they will persist through router reboots (if the RB device supports NV memory).
tks

+1 - def need more detailed logging of admin actions, and maybe such that they can be written to the log (thus can go out over remote syslog) and so they will persist through router reboots (if the RB device supports NV memory).
tks

But we do not want things like a log of the username used in failed logins!
Because when the user made an error, this field is often the PASSWORD of the login instead of username, and it appears in the log.

+1
it's very helpful to find such a log

Well, i think that something like..

"admin changed NAT Rule (5) value from src-address=x.x.x.x to src-address=x.x.x.x"
"admin changed NAT Rule (5) value from out-interface=ether1 to out-interface=ether2"

Could be insanely helpful to log, and by "5" i mean NAT rule number 5 on the chain

Of course, not only nat rules, but maybe IP address / Firewall / Routes values - i know that logging EVERYTHING might not be such a great idea, but sometimes is nice to have the option

Cheers!

I'm sure you realize that rule numbers don't exist until you use print command and change if you use some additional filters with that command ... e.g. compare outputs of /ip firewall nat print and /ip firewall nat print chain=srcnat ...

So to make log lines really useful, they should contain full rule being changed (preferably the new one).

And similar considerations go with other commands.

Well, i think that something like..

"admin changed NAT Rule (5) value from src-address=x.x.x.x to src-address=x.x.x.x"
"admin changed NAT Rule (5) value from out-interface=ether1 to out-interface=ether2"

Could be insanely helpful to log, and by "5" i mean NAT rule number 5 on the chain

Of course, not only nat rules, but maybe IP address / Firewall / Routes values - i know that logging EVERYTHING might not be such a great idea, but sometimes is nice to have the option

Cheers!

That kind of implementation probably makes it more work and reduces the chance that it gets implemented.
I would suggest a more down-to-earth variant where it is just the literal commands that are logged (which unfortunately has the risks I mentioned above, passwords should probably be starred).
When you want detailed change reports you really should arrange for an automatic export of configuration into a versioning system.
E.g. I export all my configs into git and I use gitweb to make colored reports like what you have shown.

Yeah i know that going full bananas isn't the point either, but just a thought

Logging inputs are also helpful, and i know it should be easier to get it down to practice

About comparing exports with highlighted differences, i alredy have that going. It would be useful to have something like that locally on the device tho.

I would be thrilled if there was just a general notepad for admins to make notes of changes made.

RouterOS already has a comment facility for almost any configuration item (which sets it apart from many many other routers!)
plus there is the "/system note" field where you can put multi-line notices. What more do you require?

whick logging option generates 'User password was changed' kind of log?

we do this already, in 5 minute intervals if change is detected

I am curious... given the nearly nonexistent support of file contents availability in the command language, how do you detect a configuration change?

I am curious... given the nearly nonexistent support of file contents availability in the command language, how do you detect a configuration change?

parsing the syslog that arrives on the remote server helps a lot. added/removed/changed messages indicate something has happened. i also like to trigger the upload upon each boot - this might follow a 'system backup load' or a software upgrade.

the other - push like approach - can be done by monitoring the data in /system history and trigger the appropriate events if things change (new lines, undo/redo status changes)

What I'm suggesting is a "changelog" where a running log of changes can be kept over the long term. As it is, the log runs out after a couple weeks and the data in it I like to see when there is a problem. But to scroll through 10,000 lines of code to see what changes have been made over the last 2 weeks and nothing available beforehand would be very nice. As it is, we have whomever is making changes update a changelog in onedrive but it would be a lot more useful if it was just available inside the router and I can't imaging it would be that difficult to implement.

Again, read back the topic, there are ways to achieve that using scripting. Watch the log or history for events and when they occur, export the config and send it to some versioning system like git. Then you can use whatever beautiful reviewing system you like. E.g. with gitweb you can easily point at two different versions and show the diff between them in color (red=removed green=added).

I know this is an old thread, but I want to renew the audit log request.
A full detailed admin command logging can be useful not only for audit purposes, but to keep configurations in sync in multi device HA installations. The session command log of device A can be pushed to device B to make the same changes in the - for example, firewall or user db - config.

More detail is already available via the "/system history" command. However, it is not complete enough to synchronize routers with it.

This feature is now available , and active by default ,
Router OS v7.12.1

filter rule changed by winbox-3.40/tcp-msg(winbox):username@xx.xx.xx.xx (/ip firewall filter set *1 action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no log=no log-prefix=invalid_)

Yes indeed, the situation has improved a lot!
It is now possible to log at least the majority of every config change to an external system, at least for auditing purposes.
It still isn't complete enough to be able to synchronize routers (by doing the same change on a standby router) or to undo any change made, but it is a good step forward.