SNMP OID's

Unanswered Question
Feb 9th, 2009
User Badges:

We are trying to monitor cisco routers and switches using SNMP. Is there an OID for tracking telnet, ssh, or console login attempts? We are not sending traps, but polling the devices.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Joe Clarke Mon, 02/09/2009 - 10:37
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You can use the OLD-CISCO-TS-MIB to track active line sessions on an IOS device. For example, tsLineActive will tell you if a given line number is active, and tslineSesType will tell you wnat type of connection is being used.

aryanadonis Mon, 02/09/2009 - 12:50
User Badges:

Thanks,


Is there anything that will track failed login attempts?

Joe Clarke Mon, 02/09/2009 - 13:07
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

There are syslog messages you can send on failed attempts by configure:


login on-fail log


If you enable these messages, and you have syslog histories enabled to trap on severity 5 and higher, then you can see those attempts in the clogHistory (CISCO-SYSLOG-MIB. For example:


CISCO-SYSLOG-MIB::clogHistFacility.952 = STRING: SEC_LOGIN

CISCO-SYSLOG-MIB::clogHistSeverity.952 = INTEGER: warning(5)

CISCO-SYSLOG-MIB::clogHistMsgName.952 = STRING: LOGIN_FAILED

CISCO-SYSLOG-MIB::clogHistMsgText.952 = STRING: Login failed [user: ] [Source: 172.18.123.31] [localport: 23] [Reason: Login Authentication Failed] at 16:03:58 EST Mon Feb 9 2009



aryanadonis Mon, 02/09/2009 - 13:36
User Badges:

Thanks,

I was hoping there was a way without using traps, but it looks like I cannot?

Joe Clarke Mon, 02/09/2009 - 13:56
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Like I said, you could poll the clogHistory object from the CISCO-SYSLOG_MIB, but some messages may have rotated out of the history. Ideally, you would track such failed attempts on a AAA server.

aryanadonis Mon, 02/09/2009 - 14:40
User Badges:

Thanks jclarke,

Do you have the commands to set the syslog to send traps of these messages?

Joe Clarke Mon, 02/09/2009 - 14:44
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

To send the syslog messages as traps, configure:


snmp-server enable traps syslog

aryanadonis Mon, 02/09/2009 - 14:12
User Badges:

Thanks,

I was hoping there was a way without using traps, but it looks like I cannot?

Actions

This Discussion