cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4088
Views
0
Helpful
2
Replies

syslog failed login message not sent

dsliz
Level 1
Level 1

Hi all

I'd need to generate a syslog message after any failed ssh login atempt on my router.

Even when I read all related documentation I couldn't find a way how to get it up and running. I can get successful login syslog message, but not unsuccessful.

My relevant router config is as follows:

logging trap notifications

logging source-interface FastEthernet0/0

logging 10.24.50.91

login on-failure log

login on-success log

Router#

Sep 17 16:35:09 BST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: slizd] [Source: 19X.12X.20X.5X] [localport: 22] at 16:35:09 BST Thu Sep 17 2009

Router#

Any thoughts will be appreciated.

Thanks in advance

Draz

1 Accepted Solution

Accepted Solutions

cisco24x7
Level 6
Level 6

You need the following commands in the configuration:

login block-for 60 attempts 3 within 60

login delay 1

login on-failure log every 3

login on-success log

You will see these message in the syslog server:

Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009

Easy right?

View solution in original post

2 Replies 2

cisco24x7
Level 6
Level 6

You need the following commands in the configuration:

login block-for 60 attempts 3 within 60

login delay 1

login on-failure log every 3

login on-success log

You will see these message in the syslog server:

Sep 18 10:39:33 172.20.20.20 287: *Sep 18 10:55:30.384: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:39:34 172.20.20.20 288: *Sep 18 10:55:30.384: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 40 secs, [user: cciesec] [Source: 10.109.114.40] [localport: 23] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 10:55:30 UTC Fri Sep 18 2009

Sep 18 10:41:21 172.20.20.20 290: *Sep 18 10:57:17.144: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 10.109.114.40] [localport: 23] at 10:57:17 UTC Fri Sep 18 2009

Easy right?

Thank for your help.

It works now. I'm just wondering why the command

login block-for

must be configured to get failed login syslog messages. I got success messages even without it...

But anyhow, your help and advice is much appreciated. Thanks

Draz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: