Logging blues

Unanswered Question
Sep 21st, 2007

I have configured logging for a customer but am obviously doing something incorrectly.

I need for the logs to show authentication attempts, and currently when I do a "sho log" I dont see any.

the following is configured on the box:

logging buffered 32768

logging trap debugging



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Joseph W. Doherty Sat, 09/22/2007 - 03:51

When you do a "show log", does it show anything at all, such as the size of the logging buffer?

What type of device and image are you working with?

Richard Burts Sat, 09/22/2007 - 11:15


There are now two approaches about logging authentication efforts: the traditional approach is to use the capability of AAA to an authentication server and the authentication (both successful attempts and failed attempts) can be seen on the server. In recent releases of IOS Cisco has added the ability to generate similar information through syslog. It appears that you are using the second approach. Can you confirm which approach you are using?

If you are using the second (syslog) approach can you post what you have put into the configuration to generate these logs? Can you also give us the version and feature set of the image that you are running? (would want to verify that the new feature is supported in the code that you are running)



Kevin Melton Mon, 09/24/2007 - 04:51

sure thing. Version and feature set(s) are:

bhigw2#sho ver

Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 12.4(11)XW2, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Mon 02-Jul-07 23:43 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

bhigw2 uptime is 1 week, 4 days, 18 hours, 8 minutes

System returned to ROM by power-on

System restarted at 13:14:46 Eastern Wed Sep 12 2007

System image file is "flash:c3825-advipservicesk9-mz.124-11.XW2.bin"

I have a logfile server running Syslog-NG at (VLAN 10 is our Mgmt VLAN). Here is some output about logging:

bhigw2#sho run | inc log

service timestamps log datetime msec show-timezone

logging buffered 32768

aaa authentication login vtyaccess local

log config

logging trap debugging


banner login ^C

login authentication vtyaccess

Kevin Melton Mon, 09/24/2007 - 04:48


I am pasting the contents of the log in to this for examination.

This is from a border router (3825; image (C3825-ADVIPSERVICESK9-M), Version 12.4(11)XW2, RELEASE SOFTWARE (fc1)

Richard Burts Mon, 09/24/2007 - 06:22


Thanks for posting the additional information. From what you posted I do not believe that you have configured anything that would send login information to syslog. As I indicated in my previous post there are 2 alternatives about getting information about login activity (successes or failures). One approach is to get the information from the ACS server (which assumes that you are using AAA to control loging and that you are using an ACS server). The other approach which is quite new is to send the login activity message to syslog. To use this new feature you need to configure:

login on-success log [every login]


login on-failure log [every login]

This link will give more information if you want more detail about it.


Configure these commands and let us know how it works.



Joseph W. Doherty Mon, 09/24/2007 - 15:44


After reading Rick's posts, just realized I misread your orignal post. Thought you were not getting any logging.

If supported on your router/IOS, Rick's info appears the most suitable. Otherwise, AAA accounting may help you but its been a while since I've last used it. I do recall it will log to the AAA server, don't recall if they also syslog.


aaa accounting network acct_tac1 stop-only group tacacs+ group radius


aaa accounting network default stop-only group radius


aaa accounting send stop-record authentication failure


This Discussion