05-14-2012 01:46 PM
I Currently have a 4507 switch running 122-25.EWA4. I have enabled the login on-failure command for syslog and traps. When a failed login occurs I see it in the syslog just fine but I never see a trap generated. I know traps are working for other commands on the switch (ie running config viewed).
login on-failure
login on-success log
switch#show login
A default login delay of 1 seconds is applied.
Quiet-Mode access list 25 is applied.
All successful login is logged.
All failed login is logged and generate SNMP traps.
Router enabled to watch for login Attacks.
If more than 5 login failures occur in 30 seconds or less,
logins will be disabled for 120 seconds.
Router presently in Normal-Mode.
Current Watch Window remaining time 21 seconds.
Present login failure count 0.
278250: May 14 16:33:15.602: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: JoeUser] [Source: 192.168.1.1] [localport: 22] [Reason: Login Authentication Failed] at 16:33:15 East_US Mon May
snmp-server community <snip> RW 10
snmp-server community <snip> RO 11
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps vlan-membership
snmp-server host <snip>
05-15-2012 12:20 PM
Seems the Traps are never generated on login on-sucess and login on-failure. I have seen this issue many times and the only workaround seems to be available is to use Syslog and than use the syslog trap to forward it as snmp trap.
You may want to see the old thread by Joeseph:
https://supportforums.cisco.com/message/678852#678852
-Thanks
05-15-2012 12:34 PM
I checked some more details on this, it seems this issue was raised with some of the bugs being filed #
CSCsa67252 No trap generated when ssh/telnet login fails
CSCtg26052 secure login "login on-failure trap" fails to generate SNMP traps
Seems, currently, SNMP traps are not supported by IOS, for which the above enhancement defect had been raised.
The login on-failure command you are trying to use is for logging to syslog and is not supported for SNMP traps. As a possible workaround, you can use that and then enable syslog traps to be notified of when login failure occurs.
Also, the correct syntax is "login on-failure log" and must be preceded by a login block-for command to enable login functionality. Please see the following document for more details and for instructions on syslog logging on failed logins:
As a final confirmation from enhancement team, on this feature with SNMP traps for login failures, is not available in the IOS and the command which indicates the functionality will be removed in all future releases. The documentation will also be corrected appropriately.
-thanks
Vinod
05-15-2012 01:52 PM
For clarity, I thought the OP is saying the syslog-to-snmptrap part (ala the "snmp-server enable traps syslog" line) does not appear to generate traps concerning SEC_LOGIN-4-LOGIN_FAILED. That syslog-to-snmptrap part should work in IOS though, since another user had gotten it working before (https://supportforums.cisco.com/thread/2062890).
05-15-2012 01:56 PM
Do you have "logging history #" configured? Given https://supportforums.cisco.com/thread/2062890, I figure you would not get snmp traps about SEC_LOGIN-4-LOGIN_FAILED if you have "logging history [1/2/3]" configured. However, the default "logging history 4" should be fine.
05-15-2012 02:54 PM
Hi yjdabear, Thank you for your replies. I do have logging history set to level 4. I am still not seeing traps generated even using the 'syslog method' for the login failures. here is a snipit of my logging
Syslog logging: enabled (0 messages dropped, 1102 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 277317 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 139 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 278418 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Trap logging: level debugging, 278388 message lines logged
Logging to
filtering disabled
switch#show logging history
Syslog History Table:1 maximum table entries,
saving level warnings or higher
4417 messages ignored, 0 dropped, 0 recursion drops
273892 table entries flushed
SNMP notifications enabled, 52 notifications sent
entry number 273893 : LINK-3-UPDOWN
Interface GigabitEthernet7/19, changed state to up
timestamp: 883868674
09-21-2013 02:55 PM
login on-success log
loing on-failure log
enable the logging and use the logging buffered comand.
regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: