Track / Alerts on Routers

Amin Shaikh · ‎08-27-2009

Hi,

Need suggestion on how to get Alerts on login failures/passed attempt on router / Get Email Alerts on configuration Changes.

Trace The source of login.

Have found a tool on Linux but looking on Windows.

http://www.shrubbery.net/rancid/

Joe Clarke · ‎08-29-2009

You could enable login syslog messages with:

login on-failure log

login on-success log

That will generate syslog messages that look like:

Aug 29 17:19:23.889: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 172.18.254.236] [localport: 23] [Reason: Login Authentication Failed] at 17:19:23 EDT Sat Aug 29 2009

Aug 29 17:22:56.963: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cse] [Source: 172.18.254.236] [localport: 23] at 17:22:56 EDT Sat Aug 29 2009

You could then match these messages with the Embedded Event Manager to send them as emails:

event manager applet login-failure

event syslog pattern "SEC_LOGIN-4-LOGIN_FAILED"

action 1.0 info type routername

action 2.0 mail from user@company.com to user@company.com server smtp.company.com subject "Login failure on $_info_routername" body "Login failure occurred: $_syslog_msg"

event manager applet login-success

event syslog pattern "SEC_LOGIN-4-LOGIN_SUCCESS"

action 1.0 info type routername

action 2.0 mail from user@company.com to user@company.com server smtp.company.com subject "Successful login on $_info_routername" body "Successful login occurred: $_syslog_msg"

The same could be done for config changes. You could match on SYS-5-CONFIG messages, and send email:

event manager applet config-change

event syslog pattern "SYS-5-CONFIG.*"

action 1.0 info type routername

action 2.0 mail from user@company.com to user@company.com server smtp.company.com subject "Config change on $_info_routername" body "Config change occurred: $_syslog_msg"