02-09-2009 07:22 AM
We are trying to monitor cisco routers and switches using SNMP. Is there an OID for tracking telnet, ssh, or console login attempts? We are not sending traps, but polling the devices.
02-09-2009 10:37 AM
You can use the OLD-CISCO-TS-MIB to track active line sessions on an IOS device. For example, tsLineActive will tell you if a given line number is active, and tslineSesType will tell you wnat type of connection is being used.
02-09-2009 12:50 PM
Thanks,
Is there anything that will track failed login attempts?
02-09-2009 01:07 PM
There are syslog messages you can send on failed attempts by configure:
login on-fail log
If you enable these messages, and you have syslog histories enabled to trap on severity 5 and higher, then you can see those attempts in the clogHistory (CISCO-SYSLOG-MIB. For example:
CISCO-SYSLOG-MIB::clogHistFacility.952 = STRING: SEC_LOGIN
CISCO-SYSLOG-MIB::clogHistSeverity.952 = INTEGER: warning(5)
CISCO-SYSLOG-MIB::clogHistMsgName.952 = STRING: LOGIN_FAILED
CISCO-SYSLOG-MIB::clogHistMsgText.952 = STRING: Login failed [user: ] [Source: 172.18.123.31] [localport: 23] [Reason: Login Authentication Failed] at 16:03:58 EST Mon Feb 9 2009
02-09-2009 01:36 PM
Thanks,
I was hoping there was a way without using traps, but it looks like I cannot?
02-09-2009 01:56 PM
Like I said, you could poll the clogHistory object from the CISCO-SYSLOG_MIB, but some messages may have rotated out of the history. Ideally, you would track such failed attempts on a AAA server.
02-09-2009 02:40 PM
Thanks jclarke,
Do you have the commands to set the syslog to send traps of these messages?
02-09-2009 02:44 PM
To send the syslog messages as traps, configure:
snmp-server enable traps syslog
02-09-2009 02:12 PM
Thanks,
I was hoping there was a way without using traps, but it looks like I cannot?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: