Syslog configuration

Unanswered Question
May 22nd, 2007

Hello,

I have a a 2620XM router configured as a dial-in router. There has been debate on how much this sytem is being used and I want to configure syslog capturing to see which users are logging in, at what time and for how long.

My current config for this looks like this:

logging count

logging buffered 4096 informational

logging 192.168.10.3

Will this allow me to capture what I need?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Tue, 05/22/2007 - 06:44

Chris

There are several aspects of your question that are not quite clear to me. When you say that you want syslog capturing I am not clear whether you will login to the router periodically and do the show log command to check the syslog? If this is the case then I believe that 4096 is probably too small a value. If it is not the case that you will check on the router itself, then configuration of the logging buffer size and changing the logging level from debugging to informational does not matter for this question.

Or will you be checking on a syslog server (assuming that 192.168.10.3 is running syslog server software and is properly configured for syslog)? It will be receiving informational level syslog messages.

It is also not clear what you are looking at in syslog to give you information about the user logins, at what time, and for how long. If you can give us information about this we may be able to give you better answers about whether your syslog configuration is appropriate.

HTH

Rick

c.trenholm Tue, 05/22/2007 - 06:56

Thanks Rick.

I will beusing a syslog server.

What I want to capture, if possible is the usernames and logon/logoff times/dates.

Chris

sachinraja Tue, 05/22/2007 - 06:55

hello trenholm

syslog is more useful for troubleshooting network issues and to log any system error messages, like duplicate ips, interface up/down, power supply down etc... you need to use this correctly and only for some useful info, otherwise this will fill in a lot of memory on the server/router etc..

what you are referring to is the accounting information, which a syslog cannot give. syslog can give info on who has logged in and success/failure logins, but will not tell you when the user has logged out and is not a good tool for accounting. you need to have a good radius server like ACS which can do this !!!! try using the following commands:

logging trap debugging

logging x.x.x.x

login on-failure log

login on-success log

this can give you some basic info, but not a detailed accounting logs.. you can also try applying a access-list on the RAS port and do a log on it and see if you are getting any useful info :)

Hope this helps.. all the best.. rate replies if found useful..

Raj

Actions

This Discussion