Syslog configuration on a 6009 (Running IOS)

Unanswered Question

I am running the latest 12.1 IOS on my 6009 and I was wondering if I can configure syslog to tell me when someone logs in or out of the switch? Would I need to change anything with the logging facility (don't think I need to)?


Right now I have the following set for logging...


Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes

0 overruns)

Console logging: disabled

Monitor logging: level emergencies, 0 messages logged

Buffer logging: disabled

Exception Logging: size (4096 bytes)

Trap logging: level debugging, 6601 message lines logged

Logging to x.x.x.x, 6601 message lines logged

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark Yeates Wed, 06/11/2008 - 14:21
User Badges:
  • Gold, 750 points or more

Typically you would want to use TACACS to log access to your devices. There is a command to log successful, and unsuccessful connection attempts to your switch. Unfortunately your IOS is not current enough to support the commands. You also might try setting your logging buffer to informational, and it should log when users log into the switch. I do recommend using TACACS.


login on-failure log

login on-success log


Hope this helps

Mark

I have tried this on my 3750 and the command is there. I am not seeing anything in syslog though. Here are my settings:


login block-for 30 attempts 30 within 100

login delay 5

login on-failure log

login on-success log

...

no logging buffered

no logging console

no logging monitor

logging 1.2.3.4


I have messages going to syslog, but login messages are not appearing.



Mark Yeates Fri, 06/13/2008 - 11:41
User Badges:
  • Gold, 750 points or more

Try adding the "logging trap notifications" command.




Mark

Mark Yeates Fri, 06/13/2008 - 12:08
User Badges:
  • Gold, 750 points or more

You shouldn't have to use AAA, as long as you are using a local account with a username and password.

Mark Yeates Fri, 06/13/2008 - 12:22
User Badges:
  • Gold, 750 points or more

You will want to configure a username and password for it to log access to the switch.

glen.grant Sat, 06/14/2008 - 01:58
User Badges:
  • Purple, 4500 points or more

Right now you have buffer logging disabled so you won't be able to look at anything locally on the box the way it is . As the other person said what you are requested is normally handled thru an authentication server whether tacacs or radius. You need to turn buffer logging on the box and don't use the defaults they are much too small , I would make it at least 3-4 times the default of 4096 at the very least.

Actions

This Discussion