Syslog logging

jphilippe.halle · ‎03-09-2009

Hello,

Question about logging to a syslog server.

Right now everything seems to work except one thing.

I want to log sucessful and failed logins on the console port.

It's working with SSH but I can't get the serial port login attempt to log.

Is there something special to do ?

In fact, as I'm typing this, I see that the "show logging" command don't show any console port log so I suppose it's not related to syslog.

Thank you

Richard Burts · ‎03-09-2009

Jean-Philippe

If you are getting the messages when someone logs in via SSH and do not get the messages when someone log in via console, then my first question would be whether you have set up the console authentication the same way that you set up authentication for SSH on the VTY? Perhaps you could post your config and we might see what is going on.

HTH

Rick

HTH

Rick

cisco24x7 · ‎03-09-2009

Put in the following lines and it will work:

login block-for 60 attempts 3 within 60

login on-failure log every 3

login on-success log

Here is what you should see on your syslog server:

[Expert@P1-NGx]# tail -f /var/log/messages | grep 192.168.15.201

Mar 9 21:01:43 192.168.15.201 56: *Mar 9 22:00:05.109: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cisco] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed - BadPassword] at 22:00:05 UTC Mon Mar 9 2009

Mar 9 21:04:27 192.168.15.201 59: *Mar 9 22:02:48.969: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 0.0.0.0] [localport: 0] at 22:02:48 UTC Mon Mar 9 2009

[Expert@P1-NGx]#

The method you setup for authentication on the console port (i.e. TACACS, local, etc...) is not relevant to what you're trying to achieve. The command I gave you applied globally. Furthermore, you can even have AAA accounting under the console port as well. That adds another layer of logging in addition to syslog.

Easy right?

Richard Burts · ‎03-09-2009

David

I question your assertion that the authentication method specified for the console is not relevant. By default (without aaa new-model) if I connect on the console and hit enter then I will be put into user mode. Are you saying that your entries will generate log messages reflecting that access on the console?

It is my understanding that until the console does "authenticate" the access that it will not generate the log message.

HTH

Rick

HTH

Rick

cisco24x7 · ‎03-09-2009

Rick,

It goes without saying that you need to either use "AAA" or "login local" on the console port in order to achieve the desire goal. Everyone should know this by default.

My point is that the method of authentication, minus the default, is not relevant, whether it is tacacs, radius, local, etc...

adamclarkuk_2 · ‎03-09-2009

*Everyone should know this by default.*

That's a bold statement.

Richard Burts · ‎03-09-2009

David

My original post raised the question of how the console was configured and whether it was different from the VTY about authentication. The main thing that I had in mind was the possibility that the console might not have authentication configured. You questioned that and asserted that the method of authentication was not relevant. I believe that my question asking how the console is configured (and whether it is in fact doing authentication) is quite relevant.

And I do not believe that everyone (possibly including the original poster) does necessarily assume that every login is to be authenticated.

HTH

Rick

HTH

Rick

jphilippe.halle · ‎03-10-2009

Thank you all for your anwser.

I took a brand new switch to make the test with login on-failure etc...

works very well

So I took a production switch to take the test...enter the exact same commands and 2 problems :

1- only successful login logs even if login on-failure log...is configured

2- When I take a look at the log on successful login , the name of the user is never written.

Example :

Login Success [user: ] [Source:0.0.0.0] localport: 0]

thanks

cisco24x7 · ‎03-10-2009

I am going with what I read from the original poster:

"I want to log sucessful and failed logins on the console port."

When I read this I assumed that he implemented some type of login authentication method on the console port.

I've never tested this on a switch so I can not comment on the outcome. I tested this on a Cisco 2851 router with IOS version c2800nm-advipservicesk9-mz.124-16.bin and that it works with both issues #1 and #2 you described above.

"*Everyone should know this by default.*"

I assume everyone with a tiny bit knowledge of networking should know this.