You want to capture and timestamp all keystrokes typed into a router and associate them with a particular user.

The AAA Accounting feature allows you to capture keystrokes and log them on the TACACS+ server:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model 
Router1(config)#aaa accounting commands 1 default stop-only group tacacs+
Router1(config)#aaa accounting commands 15 default stop-only group tacacs+
Router1(config)#end
Router1#

The ability to capture every keystroke entered into a router is a powerful security and quality assurance feature that that is extremely useful. For instance, keystroke logging provides the ability to perform network forensic reconstruction of events. TACACS+ provides the ability to capture all keystrokes typed into your routers and log them for future reference. The TACACS+ log contains the command that was typed along with useful information, such as time and date, router name, username, originating IP address, and privilege level. Here is an example of a TACACS+ accounting record:

Fri Jan  3 11:08:47 2003        toronto ijbrown tty66   172.25.1.1      stop    task_id=512 start_time=1041610127   timezone=EST    service=shell   priv-lvl=15     cmd=configure terminal <cr>

In this log entry, we can see that user ijbrown submitted the command configure terminal on router toronto at 11:08 on January 3, 2003. It also shows that this user accessed the router from IP address ...