Solved: Re: How to log successful logins to a syslog server in NX-OS

benweber · ‎11-25-2014

Does anyone know how to do this in NX-OS? I do it in IOS with the following commands:

login on-failure log
login on-success log
logging x.x.x.x

With that I get a syslog message that I can then log to a file to track who has logged into which device and when. But I can't find the syntax to do the same thing in the Nexus switches that we have. Does anyone know what the equivalent commands are?

Thanks,

Ben

AFROJ AHMAD · ‎11-25-2014

Hi Ben,

By default, failed logins are logged.

You can checked the log using:

show logging logfile | last 15

and for every logging failed (by default) you will get something like this:

2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication

failed for user en from 2.2.2.1 - login

To get the success-login to show up in the logs we need to increase the level of the authpriv to 5 (it is 3 by default), and doing this will add a new log for failed or succesful connections.

Use the following command:

Nexus5010-A(config)# logging level authpriv 5

You can check loggin levels by using:

#show logging level

After you do this with the logging level you will see in the log something like this when a succesful login takes place:

2005 Jan 6 03:29:48 Nexus5010-A %AUTHPRIV-5-SYSTEM_MSG: admin :TTY=unknown

; PWD=/var/sysmgr/vsh ; USER=root ; COMMAND=/usr/bin/strings/proc/18340/environ

- sudo

Now for a failed login and after increasing the authpriv level you will see the following logs:

2005 Jan 6 03:31:36 Nexus5010-A %AUTHPRIV-4-SYSTEM_MSG: pam_unix(aaa:auth):check pass; user unknown - aaad

2005 Jan 6 03:31:36 Nexus5010-A %AUTHPRIV-5-SYSTEM_MSG: pam_unix(aaa:auth):
aut

hentication failure; logname= uid=0 euid=0 tty= ruser= rhost= - aaad

For logging *****

Nexus7018(config)# logging ?
console           Set console logging
event             Interface events
ip                IP configuration
level             Facility parameter for syslog messages
logfile           Set File logging
message           Interface events
module            Set module(linecard) logging
monitor           Set terminal line(monitor) logging level
origin-id         Enable origin information for Remote Syslog Server
server            Enable forwarding to Remote Syslog Server
source-interface Enable Source-Interface for Remote Syslog Server
timestamp         Set logging timestamp granularity

You can use logging source-interface ....

Thanks-

Afroz

***Ratings Encourages Contributors ****

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

View solution in original post

AFROJ AHMAD · ‎11-25-2014

Hi Ben,

By default, failed logins are logged.

You can checked the log using:

show logging logfile | last 15

and for every logging failed (by default) you will get something like this:

2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication

failed for user en from 2.2.2.1 - login

To get the success-login to show up in the logs we need to increase the level of the authpriv to 5 (it is 3 by default), and doing this will add a new log for failed or succesful connections.

Use the following command:

Nexus5010-A(config)# logging level authpriv 5

You can check loggin levels by using:

#show logging level

After you do this with the logging level you will see in the log something like this when a succesful login takes place:

2005 Jan 6 03:29:48 Nexus5010-A %AUTHPRIV-5-SYSTEM_MSG: admin :TTY=unknown

; PWD=/var/sysmgr/vsh ; USER=root ; COMMAND=/usr/bin/strings/proc/18340/environ

- sudo

Now for a failed login and after increasing the authpriv level you will see the following logs:

2005 Jan 6 03:31:36 Nexus5010-A %AUTHPRIV-4-SYSTEM_MSG: pam_unix(aaa:auth):check pass; user unknown - aaad

2005 Jan 6 03:31:36 Nexus5010-A %AUTHPRIV-5-SYSTEM_MSG: pam_unix(aaa:auth):
aut

hentication failure; logname= uid=0 euid=0 tty= ruser= rhost= - aaad

For logging *****

Nexus7018(config)# logging ?
console           Set console logging
event             Interface events
ip                IP configuration
level             Facility parameter for syslog messages
logfile           Set File logging
message           Interface events
module            Set module(linecard) logging
monitor           Set terminal line(monitor) logging level
origin-id         Enable origin information for Remote Syslog Server
server            Enable forwarding to Remote Syslog Server
source-interface Enable Source-Interface for Remote Syslog Server
timestamp         Set logging timestamp granularity

You can use logging source-interface ....

Thanks-

Afroz

***Ratings Encourages Contributors ****

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

benweber · ‎11-25-2014

Thanks Afroz,

that worked great. Only change was that I found I had to use the "logging level auth 5", not "logging level authpriv 5".

But it's working with that command so I'm happy. thanks for the help.

Ben

manuwidmer · ‎07-08-2022

On N9k nxos 9.3.x following was needed, seems like severity was lessened from 5 to 6 over the years:

login on-success log
logging level authpriv 6
logging level auth 6 
logging logfile messages 6   (e.g. to see in local logging)