Logging blues

Unanswered Question
Sep 21st, 2007
User Badges:

I have configured logging for a customer but am obviously doing something incorrectly.

I need for the logs to show authentication attempts, and currently when I do a "sho log" I dont see any.

the following is configured on the box:


logging buffered 32768

logging trap debugging

logging 192.168.10.40


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mahmoodmkl Sat, 09/22/2007 - 01:46
User Badges:
  • Gold, 750 points or more

Hi


I think for this u need to set up AAA.


Thanks

Mahmood

Joseph W. Doherty Sat, 09/22/2007 - 03:51
User Badges:
  • Super Bronze, 10000 points or more

When you do a "show log", does it show anything at all, such as the size of the logging buffer?


What type of device and image are you working with?

Richard Burts Sat, 09/22/2007 - 11:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


There are now two approaches about logging authentication efforts: the traditional approach is to use the capability of AAA to an authentication server and the authentication (both successful attempts and failed attempts) can be seen on the server. In recent releases of IOS Cisco has added the ability to generate similar information through syslog. It appears that you are using the second approach. Can you confirm which approach you are using?


If you are using the second (syslog) approach can you post what you have put into the configuration to generate these logs? Can you also give us the version and feature set of the image that you are running? (would want to verify that the new feature is supported in the code that you are running)


HTH


Rick

Kevin Melton Mon, 09/24/2007 - 04:51
User Badges:

sure thing. Version and feature set(s) are:

bhigw2#sho ver

Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 12.4(11)XW2, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Mon 02-Jul-07 23:43 by prod_rel_team


ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)


bhigw2 uptime is 1 week, 4 days, 18 hours, 8 minutes

System returned to ROM by power-on

System restarted at 13:14:46 Eastern Wed Sep 12 2007

System image file is "flash:c3825-advipservicesk9-mz.124-11.XW2.bin"


I have a logfile server running Syslog-NG at 192.168.10.40 (VLAN 10 is our Mgmt VLAN). Here is some output about logging:


bhigw2#sho run | inc log

service timestamps log datetime msec show-timezone

logging buffered 32768

aaa authentication login vtyaccess local

log config

logging trap debugging

logging 192.168.10.40

banner login ^C

login authentication vtyaccess


Kevin Melton Mon, 09/24/2007 - 04:48
User Badges:

Joseph

I am pasting the contents of the log in to this for examination.


This is from a border router (3825; image (C3825-ADVIPSERVICESK9-M), Version 12.4(11)XW2, RELEASE SOFTWARE (fc1)




Richard Burts Mon, 09/24/2007 - 06:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Thanks for posting the additional information. From what you posted I do not believe that you have configured anything that would send login information to syslog. As I indicated in my previous post there are 2 alternatives about getting information about login activity (successes or failures). One approach is to get the information from the ACS server (which assumes that you are using AAA to control loging and that you are using an ACS server). The other approach which is quite new is to send the login activity message to syslog. To use this new feature you need to configure:

login on-success log [every login]

or

login on-failure log [every login]


This link will give more information if you want more detail about it.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008043fc9c.html


Configure these commands and let us know how it works.


HTH


Rick

Joseph W. Doherty Mon, 09/24/2007 - 15:44
User Badges:
  • Super Bronze, 10000 points or more

Kevin,


After reading Rick's posts, just realized I misread your orignal post. Thought you were not getting any logging.


If supported on your router/IOS, Rick's info appears the most suitable. Otherwise, AAA accounting may help you but its been a while since I've last used it. I do recall it will log to the AAA server, don't recall if they also syslog.


e.g.


aaa accounting network acct_tac1 stop-only group tacacs+ group radius

or

aaa accounting network default stop-only group radius


and


aaa accounting send stop-record authentication failure

Actions

This Discussion