Log telnet logins to a syslog server?

Unanswered Question
Oct 18th, 2007

Hi, We are using Cisco 877's and 1841's for VPN's. How can I send valid and invalid login telnet attempts to my syslog server?

Currently I have not auditing. They are using 12.4 IOS.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
zubair001 Fri, 10/19/2007 - 01:49

Hi,

I am assuming you have SNMP already configured.

If so you need to enter these commands:

1. loggin on

2. logging 0.0.0.0 (insert the IP of your syslog server)

3. logging trap x (replace x with number 0-7)

0- Emergencies - system is unusable

1- Alerts - immediate action required

2- critical - critical conditions

3- errors - error conditions

4- warnings - warning conditions

5- notifications - normal but significant conditions

6- informational - informational messgages (default)

7- debugging

whiteford Fri, 10/19/2007 - 01:58

Thanks, do you know what trap telnet logins and invalid logins will come under?

Richard Burts Fri, 10/19/2007 - 05:44

Andy

If you are running 12.4 then you should have access to a new feature which does what you are asking for. There are enhancements to login which allow you to send to syslog all successful and/or unsuccessful logins. This link will give you information about it and how to configure it.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b93.html#wp1027195

HTH

Rick

whiteford Fri, 10/19/2007 - 08:10

I've added:

login block-for 100 attempts 5 within 100

login quiet-mode access-class 50

login on-failure log

login on-success log

"Show login failures" gives me the failures, but what shows me the login successes?

Thanks

Richard Burts Fri, 10/19/2007 - 08:21

Andy

When I configure it the successes are in the syslog (logging buffered or wherever you send syslog). I wonder if the show login failures function is related to the login block-for function. Because if I configure login on-failure but do not configure block-for then when I show login failure it says that there are no failures even though the syslog shows several failures with the last minute or two.

So I would look to syslog for both success and failures.

HTH

Rick

whiteford Fri, 10/19/2007 - 11:48

Hi, I'm getting failures on the router via telnet but no successes anywhere, either on the router or on the syslog server, I need successful logons too to be logged.

Richard Burts Fri, 10/19/2007 - 12:23

Andy

I am not sure what is different but when I configured it and tested it I got both successes and failures in the logging buffer:

Oct 19 12:16:31 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: x.y.167.65] [localport: 23] [Reason: Login Authentication Failed] at 12:16:31 EDT Fri Oct 19 2007

Oct 19 12:16:55 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: x.y.167.65] [localport: 23] [Reason: Login Authentication Failed] at 12:16:55 EDT Fri Oct 19 2007

Oct 19 12:17:03 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rburts] [Source: x.y.167.65] [localport: 23] at 12:17:03 EDT Fri Oct 19 2007

HTH

Rick

Richard Burts Sat, 10/20/2007 - 09:51

Andy

I simply configured:

login on-failure log

login on-success log

I did not configure the login block or the login quiet-period. I am not sure why that would change it but that is the difference I am aware of between my config and your config.

HTH

Rick

Richard Burts Mon, 10/22/2007 - 07:58

Andy

Why would you need to add any SNMP info? This works with syslog not with SNMP. I do have SNMP configured on the router that I test with. But I do not see any connection between this function of logging to syslog telnet success or failure and SNMP.

HTH

Rick

whiteford Mon, 10/22/2007 - 08:47

Your right, ignore me there!

I have managed to get the successful and unsuccessful logins appearing on the syslog server, the next router only wants to show successes though and I have added login on-failurea log too.

You might know the answer to this though Rick, how can I also show any changes made to the router to appear on the syslog server?

Richard Burts Mon, 10/22/2007 - 08:56

Andy

I am glad that you have successes and failures working on one router. I am not sure why it would not work on the other. Could you post the output of show run | include log from the other router so that we can see those parts of the configuration?

HTH

Rick

whiteford Mon, 10/22/2007 - 09:03

Will do as soon as I get back to the office. Any ideas on the other part? I just want send any changes that are made on a router to the syslog server, our pix does but this is externally managed, so I can see the config.

Richard Burts Mon, 10/22/2007 - 09:20

Andy

I have sent config changes using the aaa accounting for level 15 commands. This will send all level 15 commands including the config commands to the aaa accounting function. I have used this and it works pretty well. Until recently that was the only way that I knew to track config changes. Cisco introduced a new feature in 12.3(4)T that does give the ability to log config changes in syslog. This link has information about this new feature:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080454f73.html

HTH

Rick

whiteford Tue, 10/23/2007 - 04:38

Hi, it's working very well on my other routers accept one router where I have privilege level 10, the chaps in the US have 15:

line con 0

password xxx

login

line aux 0

line vty 0 4

privilege level 15

password xxx

login local

transport input telnet

line vty 5 15

privilege level 15

password xxx

login local

transport input telnet

line vty 16 807

password xxx

login

I've added:

archive

log config

logging enable

logging size 200

notify syslog

hidekeys

and

login on-failure log

login on-success log

logging trap notifications

logging source-interface FastEthernet0/0

logging 192.168.211.119

I get nothing in the syslog server

whiteford Tue, 10/23/2007 - 05:59

His is the config:

thing is I have just noticed it was working yesterday, well the login successes was, now it doesn't. I've not changed a thing.

Attachment: 

Actions

This Discussion