cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

113645
Views
25
Helpful
10
Replies
jaesposito
Beginner

How to log Success and Failed Login Attempt Details to Router into Syslog?

All,

How can I configure my Cisco 837 router to log to syslog all successful and failed login attempts to the router via any interface?  I'd like to get as much verbose information about the login attempts (success and failed) as possible including source ip address, userid attempted, etc.

Any comments and suggestions would be greatly appreciated!

James

1 ACCEPTED SOLUTION

Accepted Solutions

archive
log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
logging on
logging 192.168.1.1
login block-for 60 attempts 3 within 60
login on-failure log every 1
login on-success log every 1

View solution in original post

10 REPLIES 10
Collin Clark
Advisor

You will need to send logging to a syslog server with a level of informational.

Here's a link on configuring message logging. It's for a switch, but it should be the same for routers.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/swlog.html

Hope it helps.

I'm receiving an error when trying to visit that link.  Can you copy/paste the instructions into your response?  Thanks!

James E

Sorry about that James, I didn't realize I was logged into CCO. Please try this link-

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_50_se/configuration/guide/swlog.html

jaesposito
Beginner

Any other specific links to routers?  I'd like little to squeeze as much information out of syslog as possible for successful and failed login attempts.

Thanks!

James

archive
log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
logging on
logging 192.168.1.1
login block-for 60 attempts 3 within 60
login on-failure log every 1
login on-success log every 1

View solution in original post

Also take a look at SNMP Authentication traps.

RTR(config)#snmp-server trap authentication ...

Is it possible to filter only syslog information relative to the list of this events:

User Authentication
IKE and IPSec
VPN Client
VPN Failover

If yes what will be the best process

@joearmstg @jaesposito, I had this same problem just yesterday.  Please rate the potential solution below if helpful.

 

This is an answer to the question using automation.  See also, my other answer to perform Regex matches manually to filter syslog messages.

! Turn on terminal monitoring to display syslog messages to the terminal

term mon

 

! Turn on system archive logging.

archive

 log config

  record rc

  logging enable

  notify syslog contenttype plaintext

  hidekeys


! Create an EEM applet to capture config changes and login/logouts to file.

event manager applet <YOUR-EEM-APPLET-NAME>

! Match the criteria you would like in your syslog messages

 event syslog occurs 1 pattern "<YOUR-SYSLOG-MESSAGES>"

! You may want to use ("LOGIN|LOGOUT|PARSER-5-CFGLOG_LOGGEDCMD") but see the NOTE(s) below first.

! Open the Logger file in append mode.

 action 1.0 file open fh <YOUR-FILE-NAME> a

! Write the syslog pattern matches to your file.
 action 1.1 file write fh "$_syslog_msg"

 action 1.2 file close fh

 

! Exit config mode and view the syslog messages matched to your file name.

more <YOUR-FILE-NAME>

 

! NOTE WARNING: These changes have not been attempted and validated by anyone.  If you choose to test them yourself, do so at your own risk.

! NOTE WARNING: You should check your system for proper storage space and take precautions so that your local storage does not exceed levels as you deem appropriate for your environment.  Also, the matching criteria you used in the "event syslog occurs 1 pattern" section can inadvertently fill up your storage system if you make the criteria too broad, or if the criteria match a condition that occurs frequently.  Do so at your own risk.

 

Maybe someone would still like an answer to this old question.  You can use regular expression (Regex) pattern matching.

 

For instance you can run the following command to include/exclude/count/begin/section any messages with a keyword in them:

 

INCLUDE:

show log | include CRYPTO

show log | i OSPF

show int status | i notconnect 

 

INCLUDE MULTIPLE:

Combine multiple options using a pipe "|" symbol to separate them:

show log | i CRYPTO|OSPF|BGP|LOGIN|LOGOUT

 

EXCLUDE:

show log | exclude ADJCHG

show ip int br | ex una

show int status | e notconnect

 

START OF LINE:

to show a route that begins with a pattern, begin with the caret symbol (^) which means "beginning of line":

show ip route | i ^O

show ip route | i ^O|^S

show ip route | i ^O|^B|^S

 

COUNT:

or count a matching criteria - this will count the number of static routes in your route table:

show ip route | count ^S

 

SECTION:

to see all the indented lines following a matched criteria such as bgp, route-maps, or line commands

show run | section route-map

show run | sec bgp

show run | sec line

 

BEGIN:

the begin operator works well if the section of configuration is not indented, or you're just looking to start at a general area within your config, or syslog output

show run | begin interface

show run | b banner

show log | b May 16

 

Regular expression (REGEX) is also useful for matching criteria in route-maps.  There are good articles on the internet explaining Regex special characters.  Here are a few of the basics.

. = any character

* = any number of times

.* = any character any number of times (basically means anything)

| = or

[0-9] = any single digit matching the numbers 0 through 9.

for instance show log | i Vlan[9][0-9][0-9] matches Vlan900 through 999 in your syslog messages

[a-z,A-Z] = any letter upper or lower case

^ = beginning of line

$ = end of line

^$ = an empty line a.k.a. carriage return (a line that starts and ends without any other characters on that line)

_ = a space

\ = escape (removes special meaning from special characters, or applies special meaning to standard characters)

for instance \$ means match the dollar sign instead of the end-of-line

 

https://www.cisco.com/c/en/us/td/docs/ios/12_2/dial/configuration/guide/dafaapre.html Cisco Doc on Regex

https://www.rexegg.com/regex-quickstart.html Regex Cheat Sheet

https://packetlife.net/blog/2008/may/10/extracting-bgp-info-regex/ Packet Life BGP Regex Cheat Sheet

https://regexlib.com Regex Library and Test pattern matching tools

 

zjnbxsspjm
Beginner

Are there any similar commands on Nexus? i want to log all attempts to establish a management connection for administrative access to nexus.Thanks

Content for Community-Ad