Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4155
Views
0
Helpful
2
Replies

syslog failed login message not sent

Go to solution
dsliz
Level 1
Level 1

‎09-17-2009 08:04 AM - edited ‎03-06-2019 07:46 AM

Hi all

I'd need to generate a syslog message after any failed ssh login atempt on my router.

Even when I read all related documentation I couldn't find a way how to get it up and running. I can get successful login syslog message, but not unsuccessful.

My relevant router config is as follows:

logging trap notifications

logging source-interface FastEthernet0/0

logging 10.24.50.91

login on-failure log

login on-success log

Router#

Sep 17 16:35:09 BST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: slizd] [Source: 19X.12X.20X.5X] [localport: 22] at 16:35:09 BST Thu Sep 17 2009

Router#

Any thoughts will be appreciated.

Thanks in advance

Draz

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cisco24x7
Level 6
Level 6

‎09-18-2009 02:55 AM

You need the following commands in the configuration:

login block-for 60 attempts 3 within 60

login delay 1

login on-failure log every 3

login on-success log

You will see these message in the syslog server:

Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009

Easy right?

View solution in original post

0 Helpful
2 Replies 2

Go to solution
cisco24x7
Level 6
Level 6

‎09-18-2009 02:55 AM

You need the following commands in the configuration:

login block-for 60 attempts 3 within 60

login delay 1

login on-failure log every 3

login on-success log

You will see these message in the syslog server:

Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009

Easy right?

0 Helpful

Go to solution
dsliz
Level 1
Level 1
In response to cisco24x7

‎09-18-2009 04:08 AM

Thank for your help.

It works now. I'm just wondering why the command

login block-for

must be configured to get failed login syslog messages. I got success messages even without it...

But anyhow, your help and advice is much appreciated. Thanks

Draz

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card