cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2393
Views
5
Helpful
2
Replies

Difference between %SSH-5-SS2_USERAUTH and %SEC_LOGIN-5-LOGIN_SUCCESS and %SSH-5-SS2_SESSION

CarlosColon2948
Level 1
Level 1

As stated above, I would like to know the differences between the above event messages and if there is a chance that each of those event can be generated from a one user login. I understand what SSH, User authentication, and session is... but, when do this events actually generated? 

2 Replies 2

Arne Bier
VIP
VIP

Good question: I tested in the lab on a switch that was not TACACS+ enabled, and another one that was TACACS+ enabled. Each time the same message.

 

Local auth (i.e. no RADIUS or TACACS+ was used)

011961: Feb  1 20:40:13.146: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: svc-dnac] [Source: 172.31.25.26] [localport: 22] at 20:40:13 UTC Mon Feb 1 2021

And then TACACS+

032021: Feb  1 2021 20:37:59.481 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin-biera] [Source: 172.31.25.26] [localport: 22] at 06:37:59 AEST Tue Feb 2 2021

Do you get those two different messages from the same switch?  Perhaps it's from the console login (I can't test that - not on-site)

 

 

hslai
Cisco Employee
Cisco Employee

From Cisco IOS XE Gibraltar 16 Error and System Messages, download  

System Message Guide for Cisco Catalyst Series Switches, Cisco IOS XE Gibraltar 16.12.x (XLSX - 1 MB) 

 SSH-5-SSH_SESSION  5-Notice   SSH Session request from [chars] tty = [dec] using crypto cipher '[chars]' [chars]  The SSH session request information  ssh  "No action necessary - informational message"
 SSH-5-SSH_USERAUTH  5-Notice   User '[chars]' authentication for SSH Session from [chars] tty = [dec]   The SSH user authentication status information  ssh  "No action necessary - informational message"
 SEC_LOGIN-5-LOGIN_SUCCESS  5-Notice   Login Success [user: [chars]] [Source: [chars]] [localport: [dec]] at [chars]  A successful login happened with the device.  os  "A notification that login succeeded."

 

After following Julio E. Moisa suggested "ip ssh logging event",  got on a C9300 running IOS-XE 17.03.02a

Feb  4 06:09:58.515: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.1.100.110 (tty = 3) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
Feb  4 06:09:58.547: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.1.100.110] [localport: 22] at 06:09:58 UTC Thu Feb 4 2021
Feb  4 06:09:58.547: %SSH-5-SSH2_USERAUTH: User 'cisco' authentication for SSH2 Session from 10.1.100.110 (tty = 3) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
Feb  4 06:09:59.069: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.1.100.110 (tty = 1) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed
Feb  4 06:10:00.664: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.1.100.110 (tty = 3) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed