cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1279
Views
20
Helpful
8
Replies

SNMP OID's

aryanadonis
Level 1
Level 1

We are trying to monitor cisco routers and switches using SNMP. Is there an OID for tracking telnet, ssh, or console login attempts? We are not sending traps, but polling the devices.

8 Replies 8

Joe Clarke
Cisco Employee
Cisco Employee

You can use the OLD-CISCO-TS-MIB to track active line sessions on an IOS device. For example, tsLineActive will tell you if a given line number is active, and tslineSesType will tell you wnat type of connection is being used.

Thanks,

Is there anything that will track failed login attempts?

There are syslog messages you can send on failed attempts by configure:

login on-fail log

If you enable these messages, and you have syslog histories enabled to trap on severity 5 and higher, then you can see those attempts in the clogHistory (CISCO-SYSLOG-MIB. For example:

CISCO-SYSLOG-MIB::clogHistFacility.952 = STRING: SEC_LOGIN

CISCO-SYSLOG-MIB::clogHistSeverity.952 = INTEGER: warning(5)

CISCO-SYSLOG-MIB::clogHistMsgName.952 = STRING: LOGIN_FAILED

CISCO-SYSLOG-MIB::clogHistMsgText.952 = STRING: Login failed [user: ] [Source: 172.18.123.31] [localport: 23] [Reason: Login Authentication Failed] at 16:03:58 EST Mon Feb 9 2009

Thanks,

I was hoping there was a way without using traps, but it looks like I cannot?

Like I said, you could poll the clogHistory object from the CISCO-SYSLOG_MIB, but some messages may have rotated out of the history. Ideally, you would track such failed attempts on a AAA server.

Thanks jclarke,

Do you have the commands to set the syslog to send traps of these messages?

To send the syslog messages as traps, configure:

snmp-server enable traps syslog

Thanks,

I was hoping there was a way without using traps, but it looks like I cannot?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: