cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2950
Views
5
Helpful
17
Replies

Log telnet logins to a syslog server?

whiteford
Level 1
Level 1

Hi, We are using Cisco 877's and 1841's for VPN's. How can I send valid and invalid login telnet attempts to my syslog server?

Currently I have not auditing. They are using 12.4 IOS.

17 Replies 17

zubair001
Level 1
Level 1

Hi,

I am assuming you have SNMP already configured.

If so you need to enter these commands:

1. loggin on

2. logging 0.0.0.0 (insert the IP of your syslog server)

3. logging trap x (replace x with number 0-7)

0- Emergencies - system is unusable

1- Alerts - immediate action required

2- critical - critical conditions

3- errors - error conditions

4- warnings - warning conditions

5- notifications - normal but significant conditions

6- informational - informational messgages (default)

7- debugging

Thanks, do you know what trap telnet logins and invalid logins will come under?

Andy

If you are running 12.4 then you should have access to a new feature which does what you are asking for. There are enhancements to login which allow you to send to syslog all successful and/or unsuccessful logins. This link will give you information about it and how to configure it.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b93.html#wp1027195

HTH

Rick

HTH

Rick

I've added:

login block-for 100 attempts 5 within 100

login quiet-mode access-class 50

login on-failure log

login on-success log

"Show login failures" gives me the failures, but what shows me the login successes?

Thanks

Andy

When I configure it the successes are in the syslog (logging buffered or wherever you send syslog). I wonder if the show login failures function is related to the login block-for function. Because if I configure login on-failure but do not configure block-for then when I show login failure it says that there are no failures even though the syslog shows several failures with the last minute or two.

So I would look to syslog for both success and failures.

HTH

Rick

HTH

Rick

Hi, I'm getting failures on the router via telnet but no successes anywhere, either on the router or on the syslog server, I need successful logons too to be logged.

Andy

I am not sure what is different but when I configured it and tested it I got both successes and failures in the logging buffer:

Oct 19 12:16:31 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: x.y.167.65] [localport: 23] [Reason: Login Authentication Failed] at 12:16:31 EDT Fri Oct 19 2007

Oct 19 12:16:55 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: x.y.167.65] [localport: 23] [Reason: Login Authentication Failed] at 12:16:55 EDT Fri Oct 19 2007

Oct 19 12:17:03 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rburts] [Source: x.y.167.65] [localport: 23] at 12:17:03 EDT Fri Oct 19 2007

HTH

Rick

HTH

Rick

Hi Rick, what's your config for this?

Andy

I simply configured:

login on-failure log

login on-success log

I did not configure the login block or the login quiet-period. I am not sure why that would change it but that is the difference I am aware of between my config and your config.

HTH

Rick

HTH

Rick

hi Rick,

What snmp info do I need to add?

Andy

Why would you need to add any SNMP info? This works with syslog not with SNMP. I do have SNMP configured on the router that I test with. But I do not see any connection between this function of logging to syslog telnet success or failure and SNMP.

HTH

Rick

HTH

Rick

Your right, ignore me there!

I have managed to get the successful and unsuccessful logins appearing on the syslog server, the next router only wants to show successes though and I have added login on-failurea log too.

You might know the answer to this though Rick, how can I also show any changes made to the router to appear on the syslog server?

Andy

I am glad that you have successes and failures working on one router. I am not sure why it would not work on the other. Could you post the output of show run | include log from the other router so that we can see those parts of the configuration?

HTH

Rick

HTH

Rick

Will do as soon as I get back to the office. Any ideas on the other part? I just want send any changes that are made on a router to the syslog server, our pix does but this is externally managed, so I can see the config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: