Good afternoon. I was just wondering if anyone had any suggestions regarding the logging of "enable" logins and failed "enable" logins using syslog. For some reason I can't get the switch (IOS 12.x) to send the syslog server a message when someone attempts to enter "enable" mode via typing the "enable" password nor failed "enable" login attempts. I am logging at the informational level but maybe the IOS doesn't provide this information? Any assistance or tips would be greatly appreciated. Thanks!
Are you already using AAA (CiscoSecure ACS) for centralized username/password authentication or are you doing local authentication? [Might not want to answer that in a public forum *grin*]
If you're using centralized AAA, then this function could be addressed by reviewing AAA authentication logs [you'll need to have enable access tracked also, besides your standard logins]
If you're not doing centralized AAA, then you can 'kind of' mock it up by doing access-list/access-group against your console and VTY ports and in the ACL, do a log statement. In this way you'd get an understanding of how often permitted telnets are happening to the box. You could even track/log denied ones, if you'd like.
From an SNMP trap perspective, this might help in a general sense...
There is a better way to do what you are suggesting on the router. Instead of trying to do access list with log in the access-class for the vty there is now (since 12.3(4)T) the ability to configure in IOS the command login on-success and login on-failure and these will send messages to syslog for login success or failure. This link is to a good article about this feature:
But Barry is asking a slightly different question. He is asking for log messages when the attempt at enable succeeds or fails. And I am not aware of a good way to notify for enable success or failure. Even the suggestion to use the logging of ACS seems to not satisfy this. I tested it and it will log a failed enable attempt. But the error message that it uses for failed attempts at enable is the same message that it uses for failed attempts at user mode. So I do not see a good way to notify about failed attempts at enable mode.
Gentlemen, I've attempted to make changes you mentioned but to no avail. I ran the "login on-success log" & "login on-failure log" commands to see if that would produce any "enable" login attempts or failures in Kiwi syslog but nothing. Also when I run the "show logging" command there are no "enable" related messages there.
I am using CiscoSecure ACS for AAA. Are there some settings I'm missing within RADIUS that's not logging or sending to the syslog? Because even after I type bad enable passwords no entries show up in the Reports and Activities section of CiscoSecure ACS. I'm not worried about the SSH logins (domain) just when users attempt to enter "enable" mode or failure to do so.
I have also set up the archiving options that Michael suggested but no enable entries in syslog...
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...