You want to capture and timestamp all keystrokes typed into a router and associate them with a particular user.
The AAA Accounting feature allows you to capture keystrokes and log them on the TACACS+ server:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-model Router1(config)#aaa accounting commands 1 default stop-only group tacacs+ Router1(config)#aaa accounting commands 15 default stop-only group tacacs+ Router1(config)#end Router1#
The ability to capture every keystroke entered into a router is a powerful security and quality assurance feature that that is extremely useful. For instance, keystroke logging provides the ability to perform network forensic reconstruction of events. TACACS+ provides the ability to capture all keystrokes typed into your routers and log them for future reference. The TACACS+ log contains the command that was typed along with useful information, such as time and date, router name, username, originating IP address, and privilege level. Here is an example of a TACACS+ accounting record:
Fri Jan 3 11:08:47 2003 toronto ijbrown tty66 172.25.1.1 stop task_id=512 start_time=1041610127 timezone=EST service=shell priv-lvl=15 cmd=configure terminal
In this log entry, we can see that user ijbrown submitted the command configure terminal on router toronto at 11:08 on January 3, 2003. It also shows that this user accessed the router from IP address 172.25.1.1 using tty66.
To save disk space on your TACACS+ server, you may decide to log only level 15-based commands, which is done with this command:
Router1(config)#aaa accounting commands 15 default stop-only group tacacs+
Level 1 commands are generally relatively benign and pose little real threat to the security or health of the router. So logging them is less important than for level 15 commands. But we generally recommend logging all commands, if you're logging commands at all, because the level 1 commands might show useful patterns of information. Of course, you can log the commands issued at any user level by adding more aaa accounting lines and specifying the appropriate user level.
Recipe 4.6; Recipe 4.8