Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2084
Views
1
Helpful
2
Replies

DNA Centre spamming syslog on devices with login success

Go to solution
Sklarby
Level 1
Level 1

ā€Ž06-12-2023 05:46 AM - edited ā€Ž06-12-2023 05:58 AM

Hi there,

I was wondering if anyone here can help with this:

We've recently-ish installed a DNA appliance we got from Cisco a number of years ago (DN2-HW-APL) running on version 2.3.3.7

Since discovering, assigning & provisioning a couple of our remote sites we've noticed DNAC logging in for what I assume is telemetry/assurance data quite frequently to our C9300 switches predominantly (less so other models), example below from one of our access switches. (Redacted the username + IP)

Jun 12 13:00:57: %SYS-6-LOGOUT: User <username> has exited tty session 1(xx.xx.xx.181)
Jun 12 13:00:57: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:00:57 CDT Mon Jun 12 2023
Jun 12 13:00:58: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:00:58 CDT Mon Jun 12 2023
Jun 12 13:01:03: %DMI-5-AUTH_PASSED: Switch 1 R0/0: dmiauthd: User '<username>' authenticated successfully from xx.xx.xx.181:48082 and was authorized for netconf over ssh. External groups: PRIV15
Jun 12 13:01:03: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:01:03 CDT Mon Jun 12 2023
Jun 12 13:01:05: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username> [Source: xx.xx.xx.181] [localport: 22] at 13:01:05 CDT Mon Jun 12 2023
Jun 12 13:03:18: %SYS-6-LOGOUT: User <username> has exited tty session 1(xx.xx.xx.181)
Jun 12 13:03:52: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:03:52 CDT Mon Jun 12 2023
Jun 12 13:03:53: %SYS-6-LOGOUT: User <username> has exited tty session 1(xx.xx.xx.181)
Jun 12 13:03:54: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:03:54 CDT Mon Jun 12 2023
Jun 12 13:03:54: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:03:54 CDT Mon Jun 12 2023
Jun 12 13:03:59: %DMI-5-AUTH_PASSED: Switch 1 R0/0: dmiauthd: User '<username>' authenticated successfully from xx.xx.xx.181:9582 and was authorized for netconf over ssh. External groups: PRIV15
Jun 12 13:03:59: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:03:59 CDT Mon Jun 12 2023
Jun 12 13:04:02: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:04:02 CDT Mon Jun 12 2023
Jun 12 13:06:13: %SYS-6-LOGOUT: User <username> has exited tty session 1(xx.xx.xx.181)
Jun 12 13:09:13: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:09:13 CDT Mon Jun 12 2023
Jun 12 13:09:13: %SYS-6-LOGOUT: User <username> has exited tty session 1(xx.xx.xx.181)
Jun 12 13:09:14: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:09:14 CDT Mon Jun 12 2023
Jun 12 13:09:14: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:09:14 CDT Mon Jun 12 2023
Jun 12 13:09:19: %DMI-5-AUTH_PASSED: Switch 1 R0/0: dmiauthd: User '<username>' authenticated successfully from xx.xx.xx.181:14106 and was authorized for netconf over ssh. External groups: PRIV15
Jun 12 13:09:20: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:09:20 CDT Mon Jun 12 2023
Jun 12 13:09:22: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:09:22 CDT Mon Jun 12 2023
Jun 12 13:11:03: %SYS-6-LOGOUT: User <username> has exited tty session 1(xx.xx.xx.181)
Jun 12 13:11:03: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:11:03 CDT Mon Jun 12 2023
Jun 12 13:11:04: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:11:04 CDT Mon Jun 12 2023
Jun 12 13:11:09: %DMI-5-AUTH_PASSED: Switch 1 R0/0: dmiauthd: User '<username>' authenticated successfully from xx.xx.xx.181:19022 and was authorized for netconf over ssh. External groups: PRIV15
Jun 12 13:11:09: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:11:09 CDT Mon Jun 12 2023
Jun 12 13:11:11: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: <username>] [Source: xx.xx.xx.181] [localport: 22] at 13:11:11 CDT Mon Jun 12 2023

We've changed the resync interval (on the global level) to 1440 minutes, and also taken a look at this > https://bst.cisco.com/bugsearch/bug/CSCvs73872 which did temporarily resolve the excessive login attempts but it seems to have returned.

Apart from creating a logging filter rule, is there any way to prevent/slow down the collection of data from DNAC to stop the large amount of noise it's generating in our syslog? Curious if anyone else has this symptom as well with their deployments.

Thanks!

6 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

ā€Ž06-12-2023 05:53 PM - edited ā€Ž06-17-2023 10:45 PM

We have a logging discriminator to filter out DNAC login entries.  

For instance, our DNAC login is "dnac".  The logging discriminator is called FO_DNAC (Filter Out DNAC) and looks like this: 

logging discriminator FO_DNAC msg-body drops dnac
 logging buffered discriminator FO_DNAC 40960
 logging  console discriminator FO_DNAC
 logging  monitor discriminator FO_DNAC

View solution in original post

2 Replies 2

Go to solution
Preston Chilcote
Cisco Employee
Cisco Employee

ā€Ž06-12-2023 08:36 AM

Certain events on the network device will trigger DNA to do an immediate re-sync.  Interface flap might be the most common example.  Check the list of Issues that DNA has reported in Assurance for that device and see if one is recurring frequently.  Fix that and logins should reduce.

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

ā€Ž06-12-2023 05:53 PM - edited ā€Ž06-17-2023 10:45 PM

We have a logging discriminator to filter out DNAC login entries.  

For instance, our DNAC login is "dnac".  The logging discriminator is called FO_DNAC (Filter Out DNAC) and looks like this: 

logging discriminator FO_DNAC msg-body drops dnac
 logging buffered discriminator FO_DNAC 40960
 logging  console discriminator FO_DNAC
 logging  monitor discriminator FO_DNAC
Customers Also Viewed These Support Documents