TACACS+ is the preferred method to log CLI commands at any enable level whether performing show command or making config changes. See AAA and TACACS commands for more information. There’s open source software if you don’t have or can’t afford Cisco ACS or similar products that can do TACACS and RADIUS.
But for a really cool and rarely used feature, you could have the switch itself run a config diff(erence) on the running-config and startup-config and email the changes or deltas to you! Code snippet here.
Here’s how I have 4510R switches configured to email config changes automatically. This uses the Cisco IOS® Embedded Event Manager (EEM) to do the work.
First, some common settings for the mail-server, from, and to addresses.
event manager environment _email_server 192.0.2.1
event manager environment _email_from email@example.com
event manager environment _email_to firstname.lastname@example.org
Then, the actual applet to do the diff. This is fairly self-explanatory. After exiting config, a log event is generated and the event manager applet is triggered. Action 1.2 is the most interesting as it provides the command to show the diff.
event manager applet config_diff_email authorization bypass
event syslog pattern “.*%SYS-5-CONFIG.*”
action 1.0 info type routername
action 1.1 cli command “enable”
action 1.2 cli command “show archive config diff nvram:/startup-config system:/running-config”
action 1.3 mail server “$_email_server” to “$_email_to” from “$_email_from” subject “Config Change Alert ($_info_routername)” body “$_cli_result”
action 1.4 syslog msg “Config Change Alert emailed”
Note that even going into config and not making changes still triggers the diff email. And another downside with this is a CPU spike that happens for about 10 seconds while it runs, but this shouldn’t impact the forwarding path.
Code snippet here.