Thanks Mahmood

I do indeed have AAA set up on the box.

Kevin

There are now two approaches about logging authentication efforts: the traditional approach is to use the capability of AAA to an authentication server and the authentication (both successful attempts and failed attempts) can be seen on the server. In recent releases of IOS Cisco has added the ability to generate similar information through syslog. It appears that you are using the second approach. Can you confirm which approach you are using?

If you are using the second (syslog) approach can you post what you have put into the configuration to generate these logs? Can you also give us the version and feature set of the image that you are running? (would want to verify that the new feature is supported in the code that you are running)

HTH

Rick

sure thing. Version and feature set(s) are:

bhigw2#sho ver

Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 12.4(11)XW2, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Mon 02-Jul-07 23:43 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

bhigw2 uptime is 1 week, 4 days, 18 hours, 8 minutes

System returned to ROM by power-on

System restarted at 13:14:46 Eastern Wed Sep 12 2007

System image file is "flash:c3825-advipservicesk9-mz.124-11.XW2.bin"

I have a logfile server running Syslog-NG at 192.168.10.40 (VLAN 10 is our Mgmt VLAN). Here is some output about logging:

bhigw2#sho run | inc log

service timestamps log datetime msec show-timezone

logging buffered 32768

aaa authentication login vtyaccess local

log config

logging trap debugging

logging 192.168.10.40

banner login ^C

login authentication vtyaccess

Joseph

I am pasting the contents of the log in to this for examination.

This is from a border router (3825; image (C3825-ADVIPSERVICESK9-M), Version 12.4(11)XW2, RELEASE SOFTWARE (fc1)

Kevin

Thanks for posting the additional information. From what you posted I do not believe that you have configured anything that would send login information to syslog. As I indicated in my previous post there are 2 alternatives about getting information about login activity (successes or failures). One approach is to get the information from the ACS server (which assumes that you are using AAA to control loging and that you are using an ACS server). The other approach which is quite new is to send the login activity message to syslog. To use this new feature you need to configure:

login on-success log [every login]

or

login on-failure log [every login]

This link will give more information if you want more detail about it.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008043fc9c.html

Configure these commands and let us know how it works.

HTH

Rick

Kevin,

After reading Rick's posts, just realized I misread your orignal post. Thought you were not getting any logging.

If supported on your router/IOS, Rick's info appears the most suitable. Otherwise, AAA accounting may help you but its been a while since I've last used it. I do recall it will log to the AAA server, don't recall if they also syslog.

e.g.

aaa accounting network acct_tac1 stop-only group tacacs+ group radius

or

aaa accounting network default stop-only group radius

and

aaa accounting send stop-record authentication failure