control of logging entries

Unanswered Question
Jun 23rd, 2010
User Badges:


cisco 2651xm router


I currently have logging enabled and a logging trap that goes to a syslog on another server. Problem is the syslog contains lots of junk info I don't want. My reason for creating the logging trap/syslog thing was to monitor telnet attempts to the router and nothing more. I'm getting entries in the log about ethernet connections going up and down and other stuff so how can I trim the logging so it shows only telnet logon attempts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Ganesh Hariharan Thu, 06/24/2010 - 03:16
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

cisco 2651xm router


I currently have logging enabled and a logging trap that goes to a syslog on another server. Problem is the syslog contains lots of junk info I don't want. My reason for creating the logging trap/syslog thing was to monitor telnet attempts to the router and nothing more. I'm getting entries in the log about ethernet connections going up and down and other stuff so how can I trim the logging so it shows only telnet logon attempts?

Following is the step to do the same for configuring the router to log incoming TELNET or SSH connections, via syslog as follows:


    config t

    access-list 1 permit {xxx.xxx.xxx.xxx} log

    line vty 0 4

    access-class 1 in


This will allow incoming connections on lines VTY 0-4 to be logged via syslog. NB: the logging is only applied to the IP address {xxx.xxx.xxx.xxx} in the access-list command, and the logging generated applies only to the initial connection, not the login itself.


Hope to help !!


Ganesh.H


Remember to rate the helpful post

tonyspcrepairs Thu, 06/24/2010 - 13:33
User Badges:

thanks for your response Ganesh. The config you gave is good because I see it blocks all telnet attempts except the one specified in the access-list, but I'm still getting unwanted entries in the syslog about ethernet ports going up and down and other stuff etc.I'd like the syslog to only show telnet attempts if that's possible. Thanks for any further ideas.

Ganesh Hariharan Thu, 06/24/2010 - 22:43
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

thanks for your response Ganesh. The config you gave is good because I
see it blocks all telnet attempts except the one specified in the
access-list, but I'm still getting unwanted entries in the syslog about
ethernet ports going up and down and other stuff etc.I'd like the
syslog to only show telnet attempts if that's possible. Thanks for any
further ideas.

Hi,


There are eight different logging levels.


0—emergencies
1—alerts
2—critical
3—errors
4—warnings
5—notification
6—informational
7—debugging


The default level for console, monitor, and syslog is debugging. The logging on command is the default. To disable all logging, use the no logging on command.By default, the router logs anything at the level of debugging and greater. That means that logging occurs from level 7 (debugging) up to level 0 (emergencies). If you want to par down what the system logs, use something like the logging console notifications command.


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

Richard Burts Sun, 06/27/2010 - 22:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tony


The suggestion from Ganesh uses the logging facility of an access list to create syslog. And that would work. In recent versions of IOS there is also an option to create syslog records that reflect successful or failed attempts to login without the overhead of access list processing. See this link for more information about this capability:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_k1.html#wp1047814


But the issue that you have is that these syslog records are only a small part of the syslog records created by IOS routers. Ganesh has identified the capability of IOS to limit the syslog records transmitted by specifying the severity level of the record. Unfortunately the syslog records generated by his suggestion are at severity level 6 (informational). So to get his log records you still get all the other records that you do not want.


I do not believe that there is any option on the IOS router to limit the syslog records transmitted in the way that you want. Perhaps it might be possible to have something on the server that is receiving the syslog records to examine them and filter out the records that you do not want.


HTH


Rick

Actions

This Discussion