topic Re: Displaying AAA username in syslog in Network Security

Displaying AAA username in syslog

codewize — Mon, 26 Feb 2024 16:13:59 GMT

Firepower 1010 locally managed
Failed login attempts are logged as 'user = *****'
I need to be able to see those attempted user names like ASA would do.

How can I do that?

Re: Displaying AAA username in syslog

Rob Ingram — Mon, 26 Feb 2024 16:17:24 GMT

@codewize try the command "no logging hide username" to display the username in SYSLOG messages.

Re: Displaying AAA username in syslog

codewize — Mon, 26 Feb 2024 16:30:17 GMT

At what prompt would that be typed?
Or is this another FlexConfig entry

Re: Displaying AAA username in syslog

Rob Ingram — Mon, 26 Feb 2024 16:41:31 GMT

@codewize yes try FlexConfig, there is no native GUI configuration when using FDM.

Re: Displaying AAA username in syslog

codewize — Tue, 27 Feb 2024 01:25:36 GMT

Seems like the command is 'no login hide username'

testing now
Nope, it doesn't like anything after 'log' throws errors deploying

Re: Displaying AAA username in syslog

codewize — Tue, 27 Feb 2024 01:26:09 GMT

Anyone have any other ideas?

Re: Displaying AAA username in syslog

codewize — Tue, 27 Feb 2024 18:59:09 GMT

Still need help with this

Re: Displaying AAA username in syslog

MHM Cisco World — Tue, 27 Feb 2024 19:02:20 GMT

you mgmt the FPR by FDM ?
MHM

Re: Displaying AAA username in syslog

Rob Ingram — Tue, 27 Feb 2024 19:23:15 GMT

@codewize FlexConfig is used to deploy ASA commands to FTD, the ASA command "no logging hide username" is to display usernames in SYSLOG. Did you try that syntax? I do not know what command "no login hide username" is and it's not valid on ASA.

Re: Displaying AAA username in syslog

codewize — Tue, 27 Feb 2024 19:28:55 GMT

FDM yes

Re: Displaying AAA username in syslog

codewize — Sun, 03 Mar 2024 16:33:23 GMT

Bump

Re: Displaying AAA username in syslog

Marvin Rhoads — Mon, 04 Mar 2024 02:32:34 GMT

The solution you should use is the one suggested by @Rob Ingram on 28 February.

Re: Displaying AAA username in syslog

codewize — Sat, 09 Mar 2024 02:36:11 GMT

Except the syntax is either wrong or that particular command is not supported on the 1010
Either way, FlexConfig won't even accept that.

Re: Displaying AAA username in syslog

codewize — Sat, 09 Mar 2024 02:34:00 GMT

no logging hide username is NOT valid on the FTD 1010
FlexConfig won't even accept it
Nor is no loggin hide username.

It will take 'no log hide username' but the deploy fails with an invalid command because putting anything after log is not acceptable.

Re: Displaying AAA username in syslog

MHM Cisco World — Sun, 10 Mar 2024 01:02:51 GMT

can you share steps you done
two days ago we face issue in IPsec and the solution was engineer missing add ""-"" between command
so please share steps let check it

thanks

MHM

Re: Displaying AAA username in syslog

codewize — Sun, 10 Mar 2024 04:09:19 GMT

Sure, so lets first agree that the command we're creating in FlexConfig is either
no logging hide username
or
no loggin hide username

Correct? Based on what's been said here. I want you to know also that this command DOES work on ASA and I have also deployed it on FP 2100 and 4100 devices succesfully.

OK so on my 1010 FDM managed
I go to the top menu Device > Advanced Configuration
FlexConfig > FlexConfig Objects
I Click the + to create a new object.
I named it no-hide-user
In the template box I put "no logging hide username" without the quotes of course.
Or "no loggin hide username"
Click OK and it puts a red box around the template area saying that the command is invalid syntax

If I do "no log hide username" it will save that. I was trying any rendition of the verbiage.
Go to FlexConfig Policy, use the + to add the new object to the existing policy
Save and deploy

The deploy fails because anything after the word log in that context is invalid input.

By the way. I am CCNP VPN currently studying to sit for the Firepower specialty exam. I built, deployed and manage a larger Firepwoer environments with 14 mixed devices including ASA with Firepower services. This is not my first experience nor am I new to Firepower.
I will say I have not done a lot of FlexConfig but I certainly understand how it works now.
However, having said that, the 1010 I have at home is a bit of a different animal, somewhat like the 5505 was back in the day. Definitely NOT the same as the larger devices, so I'm wondering if this command is not valid on the 1010.

Re: Displaying AAA username in syslog

davparker — Thu, 02 May 2024 22:53:14 GMT

I have this same problem. We are migrating to FMC managed firepower but I have two sites still running locally managed FDM. I can't find any variation of the "no hide logging username" in the FlexConfig object that will not get rejected. In FMC I had to use "no loggin hide username". It appears our firewalls are being targeted by brute force VPN logins. Trying to identify which accts they are trying. On FMC I ended up deploying a control plane acl to block the IPs. No sure I'll be able to do that yet on FDM.