Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Logging telnet session with syslog.

I'm trying to log telnet sessions using syslog and have configured the following:

ip access-list extended testaccess

permit tcp 202.162.31.0 0.0.0.255 host 0.0.0.0 eq telnet log-input

line vty 0 4

access-class testaccess in

Looking at the syslog this is the only entry I got when I telnet to the router:

367: *Aug 31 19:48:17.274: %SEC-6-IPACCESSLOGP: list testaccess permitted tcp 202.162.31.121(43264) -> 0.0.0.0(23), 1 packet

Can I see more info, for instance, the username that was trying to telnet to the router? Can the log also show failed attempts due to unauthorise username?

Thanks.

  • Other Network Infrastructure Subjects
1 REPLY
Bronze

Re: Logging telnet session with syslog.

Hi sweeann

Using access-list with the log-input command for logging telnet access will only report ip packets that match the access-list.

Assuming you want have "tighter" control and security in regards to telnet activity I suggest you use configure AAA and use Cisco Secure ACS as a reporting tool for Authenticaiton failures and Configuration activities. ACS can give passed authentication, failed authentication, authorization control and accounting information as to what was the config lines entered on to the router/switch. Use Tacacs+, since radius is better with PPP sessions.

What you can do with syslog; is to log the telnet session once a configuration change has been made. To do this, your logging trap level need to be set to "informational".

Router#(conf)logging buffered 8000 debugging

Router#(conf)logging 10.1.1.1

Router#(conf)logging trap 5

This configuration will be able to send a syslog message to your NMS the moment a telnet user makes a config change, since the severity matches level 5. It will look like this: Sep 1 15:09:54.698: %SYS-5-CONFIG_I: Configured from console by joesoap on vty0 (10.1.X.X)

Hope this helps.

311
Views
0
Helpful
1
Replies
This widget could not be displayed.