Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1490
Views
10
Helpful
6
Replies

Authentication message send to syslog

Marc.Halleux
Level 1
Level 1

‎06-28-2007 03:23 AM

Hi,

We configured TACACS on our switches and we now would like to send authentication related message to our syslog (eg: Authentication successfull, or unsuccessfull etc...).

Is there a way to have this send to the syslog? I tested by putting the logging trap to debug, but even in that case, i did not get anything about the authentication in the syslog.

Thank you for your help,

Marc.

Labels:
0 Helpful
6 Replies 6

Marc.Halleux
Level 1
Level 1

‎06-28-2007 10:52 AM

Did somebody can help me plz?

Marc.

0 Helpful

jwright
Level 1
Level 1
In response to Marc.Halleux

‎06-29-2007 07:59 AM

We've had the failed attempts log file e-mailed to us from a local smtp mailer to keep tabs on the same thing. You could have passed attempts sent as well.

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee

‎06-28-2007 01:19 PM

This is not possible for IOS devices, but you should have an audit trail on your TACACS+ server that lists when users logged in and out.

0 Helpful

Marc.Halleux
Level 1
Level 1
In response to Joe Clarke

‎06-28-2007 01:44 PM

Thank you for the answer, we indeed have all the logs in our ACS servers, but we currently receive all authentication failure in central syslog servers (from server, from firewall, ...), those syslog entries are monitored to identify and alert multiple authentication failures.

That type of alerting is, at my knowledge, not possible in the Cisco Secure ACS.

That was the reason of my question.

Anyway, thank you for your answer.

0 Helpful

akemp
Level 5
Level 5
In response to Marc.Halleux

‎06-29-2007 02:10 AM

Why yes it IS available via CiscoSecure ACS, you just need a current version to do so. I know that v4.1.1b23 has it as well as the latest and greatest version 4.1.3b12 patch 2.

Under System configuration, Logging Configuration, you have tha ability so send any of the log files to syslog servers on any specified port (very handy for syslogNG implementations)

Richard Burts
Hall of Fame
Hall of Fame
In response to akemp

‎06-29-2007 07:40 AM

Marc and Andy

It has been the traditional answer that you could not do this directly from IOS to syslog and if you wanted it you had to go through ACS to get notification of login failure (or success). In release 12.3(4)T and 12.4 Cisco introduced a new feature where you can send directly to syslog for login success or for login failure. You can use this command:

login on-failure log [every login]

and there is also a command to log successes.

For more information about this feature this link would be useful:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b93.html

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents