10-18-2007 11:39 PM - edited 03-03-2019 07:14 PM
Hi, We are using Cisco 877's and 1841's for VPN's. How can I send valid and invalid login telnet attempts to my syslog server?
Currently I have not auditing. They are using 12.4 IOS.
10-19-2007 01:49 AM
Hi,
I am assuming you have SNMP already configured.
If so you need to enter these commands:
1. loggin on
2. logging 0.0.0.0 (insert the IP of your syslog server)
3. logging trap x (replace x with number 0-7)
0- Emergencies - system is unusable
1- Alerts - immediate action required
2- critical - critical conditions
3- errors - error conditions
4- warnings - warning conditions
5- notifications - normal but significant conditions
6- informational - informational messgages (default)
7- debugging
10-19-2007 01:58 AM
Thanks, do you know what trap telnet logins and invalid logins will come under?
10-19-2007 05:44 AM
Andy
If you are running 12.4 then you should have access to a new feature which does what you are asking for. There are enhancements to login which allow you to send to syslog all successful and/or unsuccessful logins. This link will give you information about it and how to configure it.
HTH
Rick
10-19-2007 08:10 AM
I've added:
login block-for 100 attempts 5 within 100
login quiet-mode access-class 50
login on-failure log
login on-success log
"Show login failures" gives me the failures, but what shows me the login successes?
Thanks
10-19-2007 08:21 AM
Andy
When I configure it the successes are in the syslog (logging buffered or wherever you send syslog). I wonder if the show login failures function is related to the login block-for function. Because if I configure login on-failure but do not configure block-for then when I show login failure it says that there are no failures even though the syslog shows several failures with the last minute or two.
So I would look to syslog for both success and failures.
HTH
Rick
10-19-2007 11:48 AM
Hi, I'm getting failures on the router via telnet but no successes anywhere, either on the router or on the syslog server, I need successful logons too to be logged.
10-19-2007 12:23 PM
Andy
I am not sure what is different but when I configured it and tested it I got both successes and failures in the logging buffer:
Oct 19 12:16:31 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: x.y.167.65] [localport: 23] [Reason: Login Authentication Failed] at 12:16:31 EDT Fri Oct 19 2007
Oct 19 12:16:55 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: x.y.167.65] [localport: 23] [Reason: Login Authentication Failed] at 12:16:55 EDT Fri Oct 19 2007
Oct 19 12:17:03 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rburts] [Source: x.y.167.65] [localport: 23] at 12:17:03 EDT Fri Oct 19 2007
HTH
Rick
10-19-2007 12:28 PM
Hi Rick, what's your config for this?
10-20-2007 09:51 AM
Andy
I simply configured:
login on-failure log
login on-success log
I did not configure the login block or the login quiet-period. I am not sure why that would change it but that is the difference I am aware of between my config and your config.
HTH
Rick
10-22-2007 07:49 AM
hi Rick,
What snmp info do I need to add?
10-22-2007 07:58 AM
Andy
Why would you need to add any SNMP info? This works with syslog not with SNMP. I do have SNMP configured on the router that I test with. But I do not see any connection between this function of logging to syslog telnet success or failure and SNMP.
HTH
Rick
10-22-2007 08:47 AM
Your right, ignore me there!
I have managed to get the successful and unsuccessful logins appearing on the syslog server, the next router only wants to show successes though and I have added login on-failurea log too.
You might know the answer to this though Rick, how can I also show any changes made to the router to appear on the syslog server?
10-22-2007 08:56 AM
Andy
I am glad that you have successes and failures working on one router. I am not sure why it would not work on the other. Could you post the output of show run | include log from the other router so that we can see those parts of the configuration?
HTH
Rick
10-22-2007 09:03 AM
Will do as soon as I get back to the office. Any ideas on the other part? I just want send any changes that are made on a router to the syslog server, our pix does but this is externally managed, so I can see the config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide