logging "enable" logins & failed "enable" logins

bwebber69 · ‎07-22-2008

Good afternoon. I was just wondering if anyone had any suggestions regarding the logging of "enable" logins and failed "enable" logins using syslog. For some reason I can't get the switch (IOS 12.x) to send the syslog server a message when someone attempts to enter "enable" mode via typing the "enable" password nor failed "enable" login attempts. I am logging at the informational level but maybe the IOS doesn't provide this information? Any assistance or tips would be greatly appreciated. Thanks!

Jason Davis · ‎07-22-2008

Are you already using AAA (CiscoSecure ACS) for centralized username/password authentication or are you doing local authentication? [Might not want to answer that in a public forum *grin*]

If you're using centralized AAA, then this function could be addressed by reviewing AAA authentication logs [you'll need to have enable access tracked also, besides your standard logins]

If you're not doing centralized AAA, then you can 'kind of' mock it up by doing access-list/access-group against your console and VTY ports and in the ACL, do a log statement. In this way you'd get an understanding of how often permitted telnets are happening to the box. You could even track/log denied ones, if you'd like.

From an SNMP trap perspective, this might help in a general sense...

snmp-server enable traps tty

Richard Burts · ‎07-23-2008

Jason

There is a better way to do what you are suggesting on the router. Instead of trying to do access list with log in the access-class for the vty there is now (since 12.3(4)T) the ability to configure in IOS the command login on-success and login on-failure and these will send messages to syslog for login success or failure. This link is to a good article about this feature:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_login_enhance.html

But Barry is asking a slightly different question. He is asking for log messages when the attempt at enable succeeds or fails. And I am not aware of a good way to notify for enable success or failure. Even the suggestion to use the logging of ACS seems to not satisfy this. I tested it and it will log a failed enable attempt. But the error message that it uses for failed attempts at enable is the same message that it uses for failed attempts at user mode. So I do not see a good way to notify about failed attempts at enable mode.

HTH

Rick

HTH

Rick

michael.leblanc · ‎07-23-2008

With the following commands in the configuration:

archive

log config

logging enable

notify syslog

hidekeys

I see the following syslog entries for a failed attempt:

2614: router-a: Jul 23 17:31:20.773 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:!exec: enable failed

... and a successful attempt:

2618: router-a: Jul 23 17:31:30.051 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:!exec: enable

Would that meet your needs?

michael.leblanc · ‎07-23-2008

I prevented an AAA Client from reaching the AAA Server to see what messages would be recorded in syslog, and found the following:

2482: router-a: Jul 23 16:51:39.038 EDT: %SYS-5-PRIV_AUTH_FAIL: Authentication to Privilage level 15 failed by on vty0 (aaa.bbb.ccc.ddd)

2491: router-a: Jul 23 16:52:56.461 EDT: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by on vty0 (aaa.bbb.ccc.ddd)

This also seems to provide what you need.

The AAA Client is configured to perform enable authentication (fallback to enable password), exec and command authorization (fallback to local).

bwebber69 · ‎07-24-2008

Thank you so much for the input. I was out of the office yesterday but I am going to apply some of the suggestions today and see how it turns out. I'll let you know. Thanks again. Barry

bwebber69 · ‎07-24-2008

Gentlemen, I've attempted to make changes you mentioned but to no avail. I ran the "login on-success log" & "login on-failure log" commands to see if that would produce any "enable" login attempts or failures in Kiwi syslog but nothing. Also when I run the "show logging" command there are no "enable" related messages there.

I am using CiscoSecure ACS for AAA. Are there some settings I'm missing within RADIUS that's not logging or sending to the syslog? Because even after I type bad enable passwords no entries show up in the Reports and Activities section of CiscoSecure ACS. I'm not worried about the SSH logins (domain) just when users attempt to enter "enable" mode or failure to do so.

I have also set up the archiving options that Michael suggested but no enable entries in syslog...

michael.leblanc · ‎07-24-2008

The "login on-failure log" and "login on-success log" were not going to produce syslog entries for "enable" login.

The archive command and options provided should result in a syslog entry for every config command entered on the CLI.

If you do not see any syslog entries similar to:

171786: c1710: Mar 22 15:54:16.327 EDT: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:no shutdown

i.e.: "%PARSER-5-CFGLOG_LOGGEDCMD" ...

... resulting from command entry, then you might want to find out why.

Q1. Have you verified that the commands were accepted into your running-config?

Q2. What level of logging is being used for syslog?

Q3. Are you filtering syslog messages at the syslog server?

If you are not seeing entries in the "Passed Authentication" or "Failed Attempts" reports for the enable user "$enab15$", I would question whether you are using RADIUS for enable authentication.