topic Firewall context not generating user information while logging in Network Security

Firewall context not generating user information while logging

s.aliyarukunju — Tue, 12 Mar 2019 01:15:24 GMT

Dear Experts,

I am facing an issue for syslog messages that is not getting logged with user login information. Firewall is configured in multi-context mode.

Admin context is configured with syslog configuration and i am getting the local syslog messages about the user login information.

I did the same syslog server configuration for other contexts , but the local syslog message doesnt have the user information.

Could you kindly advice whether any limitation exists for multicontext firewall logging ?

Kind advice.

Firewall context not generating user information while logging

jocamare — Mon, 18 Mar 2013 20:06:47 GMT

Does this happen when you access the context directly or when you are coming from the "system" context?

What is the log ID that you are refering to?

Can you provide a sample of both logs? With and without the user information.

Re: Firewall context not generating user information while loggi

s.aliyarukunju — Tue, 19 Mar 2013 07:01:18 GMT

Hi Jocamare,

Thanks for your reply.

Let me clarfiy you more about this.

I have two context now , Admin and one customer context. Each context is having the dedicated management interface vlan.

When i am trying to access Admin context directly through managment interface , it will show the local syslog message with login user information.But when i am trying the same for customer context through the management interface , syslog message is not showing the login user information , eventhough the syslog configuration is same on both the context.

The log ID that i am refering is %FWSM-6-605005 . Below is the sample log files that generated on admin context while login.

Mar 19 2013 09:37:00: %FWSM-6-605005: Login permitted from 10.10.2.10/62219 to management:192.168.

1.4/telnet for user "abc"

Mar 19 2013 09:37:10: %FWSM-5-502103: User priv level changed: Uname: abc From: 1 To: 15

Mar 19 2013 09:37:10: %FWSM-5-111008: User 'abc' executed the 'enable' command.

Mar 19 2013 09:37:12: %FWSM-7-111009: User 'abc' executed cmd: show running-config username

Mar 19 2013 09:37:22: %FWSM-7-111009: User 'abc' executed cmd: show running-config logging

Mar 19 2013 09:37:27: %FWSM-7-111009: User 'abc' executed cmd: show logging

Mar 19 2013 09:38:05: %FWSM-7-111009: User 'abc' executed cmd: show logging

Syslog configuration is Admin Context is shown below

logging enable

logging timestamp

logging buffer-size 104857

logging console informational

logging buffered debugging

logging trap notifications

logging facility 16

logging host management X.X.X.X

Syslog configuration is Customer Context is shown below

logging enable

logging timestamp

logging buffer-size 104857

logging console informational

logging monitor notifications

logging buffered debugging

logging trap notifications

logging asdm informational

logging facility 16

logging host management X.X.X.X

Note :- I am not able to get the any user log messages from customer context to paste it here.

Kind Regards,

Re: Firewall context not generating user information while loggi

jocamare — Wed, 20 Mar 2013 02:46:32 GMT

Just tested this on my lab. 9.1(1)

It works for me.

Seems to me the reason why you are not seeing the information you need is because the telnet connections are not authenticating against any database. They just get in using the default telnet password.

What does the output of the "show run aaa" command from the client context show?

Re: Firewall context not generating user information while loggi

s.aliyarukunju — Wed, 20 Mar 2013 06:31:40 GMT

Thats good news...Below are the aaa commands from cleint context

From Cleint conext ( without AAA server)

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

Now i added the below aaa commands and i am able to get the user login info while telneting.

aaa authentication telnet console LOCAL

Could you please advice whether i missed any config commands

Kind Regards,

Re: Firewall context not generating user information while loggi

jocamare — Wed, 20 Mar 2013 07:18:27 GMT

Not sure i understand the request, but yeah, you missed the "aaa authentication..." command.

Sent from Cisco Technical Support iPhone App

Re: Firewall context not generating user information while loggi

s.aliyarukunju — Thu, 21 Mar 2013 09:20:18 GMT

Thanks for your advice jocamare.

Now the issue of getting local syslog message with login user information is solved. But on syslog server i am not getting the severity informational messages.

Below are the syslog message in Local Buffer of firewall

Mar 20 2013 15:14:44: %FWSM-6-605005: Login permitted from 10.10.10.2/59698 to management:20.20.20.2/telnet for user "abc"

Mar 20 2013 15:18:43: %FWSM-5-502103: User priv level changed: Uname: abc From: 1 To: 15

Mar 20 2013 15:18:43: %FWSM-5-111008: User 'abc' executed the 'enable' command.

Below are the syslog message in syslog server logs.

Mar 20 15:18:00 20.20.20.2 Mar 20 2013 15:18:43: %FWSM-5-502103: User priv level changed: Uname: abc From: 1 To: 15

Mar 20 15:18:00 20.20.20.2 Mar 20 2013 15:18:43: %FWSM-5-111008: User 'abc' executed the 'enable' command.

Could you please advice , how can i get the message ID FWSM-6-605005 on syslog server ?

Kind Regards,

Re: Firewall context not generating user information while loggi

jocamare — Fri, 22 Mar 2013 19:02:15 GMT

Try:

logging trap informational

Re: Firewall context not generating user information while loggi

s.aliyarukunju — Tue, 26 Mar 2013 09:38:00 GMT

Many thanks Jocamare...Its works fine now.

Kind Regards,