Joe Clarke Mon, 02/09/2009 - 10:37

You can use the OLD-CISCO-TS-MIB to track active line sessions on an IOS device. For example, tsLineActive will tell you if a given line number is active, and tslineSesType will tell you wnat type of connection is being used.

Joe Clarke Mon, 02/09/2009 - 13:07

There are syslog messages you can send on failed attempts by configure:


login on-fail log


If you enable these messages, and you have syslog histories enabled to trap on severity 5 and higher, then you can see those attempts in the clogHistory (CISCO-SYSLOG-MIB. For example:


CISCO-SYSLOG-MIB::clogHistFacility.952 = STRING: SEC_LOGIN

CISCO-SYSLOG-MIB::clogHistSeverity.952 = INTEGER: warning(5)

CISCO-SYSLOG-MIB::clogHistMsgName.952 = STRING: LOGIN_FAILED

CISCO-SYSLOG-MIB::clogHistMsgText.952 = STRING: Login failed [user: ] [Source: 172.18.123.31] [localport: 23] [Reason: Login Authentication Failed] at 16:03:58 EST Mon Feb 9 2009



aryanadonis Mon, 02/09/2009 - 13:36

Thanks,

I was hoping there was a way without using traps, but it looks like I cannot?

Joe Clarke Mon, 02/09/2009 - 13:56

Like I said, you could poll the clogHistory object from the CISCO-SYSLOG_MIB, but some messages may have rotated out of the history. Ideally, you would track such failed attempts on a AAA server.

aryanadonis Mon, 02/09/2009 - 14:40

Thanks jclarke,

Do you have the commands to set the syslog to send traps of these messages?

Joe Clarke Mon, 02/09/2009 - 14:44

To send the syslog messages as traps, configure:


snmp-server enable traps syslog

aryanadonis Mon, 02/09/2009 - 14:12

Thanks,

I was hoping there was a way without using traps, but it looks like I cannot?

Actions

This Discussion