cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

13897
Views
20
Helpful
13
Replies
Highlighted
Beginner

SNMP Trap: login on-success log/trap not working

Greetings,

I have both on-success and on-failure logging setup per the below. The problem is that on-failure logins work just fine, they send a message to the router logs, then send an snmp trap to my trap receiver at 192.168.197.2. However, on-success logins send a message to the router logs, but never send an snmp trap? Based on the debug snmp packet (below) it does not even attempt to send out the trap. Any suggestions?

login block-for 15 attempts 15 within 60
login on-failure log
login on-success log

!

archive
log config
  logging enable
  notify syslog
  hidekeys

!

snmp-server enable traps syslog
snmp-server host 192.168.197.2 public  syslog

===============================================================

Router log with snmp packet/header debugging.

===============================================================

*Oct 16 09:32:27.260: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: neteng] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed - BadPassword] at 09:32:27 UTC Fri Oct 16 2009
*Oct 16 09:32:27.284: SNMP: Queuing packet to 192.168.197.2
*Oct 16 09:32:27.284:
Outgoing SNMP packet
*Oct 16 09:32:27.288: v1 packet
*Oct 16 09:32:27.288: community string: public
*Oct 16 09:32:27.288: SNMP: V1 Trap, ent ciscoSyslogMIB.2, addr 192.168.192.40, gentrap 6, spectrap 1
clogHistoryEntry.2.9 = SEC_LOGIN
clogHistoryEntry.3.9 = 5
clogHistoryEntry.4.9 = LOGIN_FAILED
clogHistoryEntry.5.9 = Login failed [user: neteng] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed - BadPassword] at 09:32:27 UTC Fri Oct 16 2009
clogHistoryEntry.6.9 = 694743
*Oct 16 09:32:27.537: SNMP: Packet sent via UDP to 192.168.197.2
*Oct 16 09:32:37.657: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: neteng] [Source: 0.0.0.0] [localport: 0] at 09:32:37 UTC Fri Oct 16 2009
*Oct 16 10:19:43.149: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: neteng] [Source: 0.0.0.0] [localport: 0] at 10:19:43 UTC Fri Oct 16 2009
Router#

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Cisco Employee

Re: SNMP Trap: login on-success log/trap not working

By default, the maximum severity sent as a syslog trap is warning.  That is why you see syslog traps for login failures.  Since a login success is sev 5 (notifications), those syslog messages will not be converted to traps.  To fix this, configure:

logging history 5

13 REPLIES 13
Beginner

Re: SNMP Trap: login on-success log/trap not working

Trap setting is little bit tricky fair to attempt

Sent from Cisco Technical Support iPhone App

Beginner

Re: SNMP Trap: login on-success log/trap not working

Anything else to add to that? I have had a case open with TAC for several days and still no answer as to why this does not work.

Hall of Fame Cisco Employee

Re: SNMP Trap: login on-success log/trap not working

By default, the maximum severity sent as a syslog trap is warning.  That is why you see syslog traps for login failures.  Since a login success is sev 5 (notifications), those syslog messages will not be converted to traps.  To fix this, configure:

logging history 5

Beginner

Re: SNMP Trap: login on-success log/trap not working

Thanks Joseph,

Adding "logging history 5" resolved the issue.

On cisco 3945, I  have

On cisco 3945, I  have enabled "logging history 5", but does`not receive traps for LOGIN_SUCCESS.

 

MSK-c3945-PE1#sh run | i logg
logging buffered 512000
logging history notifications

MSK-c3945-PE1#deb snmp packets
SNMP packet debugging is on

MSK-c3945-PE1#
Feb  9 2015 18:34:17.216 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 10.0.10.169] [localport: 22] at 18:34:17 MSK Mon Feb 9 2015

MSK-c3945-PE1#
Feb  9 2015 18:34:38.236 MSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 18:34:38 MSK Mon Feb 9 2015

MSK-c3945-PE1#
Feb  9 2015 18:34:38.236 MSK: SNMP: Queuing packet to 10.78.3.4
Feb  9 2015 18:34:38.236 MSK: SNMP: V2 Trap, reqid 364524, errstat 0, erridx 0
 sysUpTime.0 = 387326648
 snmpTrapOID.0 = ciscoSyslogMIB.2.0.1
 clogHistoryEntry.2.453 = SEC_LOGIN
 clogHistoryEntry.3.453 = 5
 clogHistoryEntry.4.453 = LOGIN_FAILED
 clogHistoryEntry.5.453 = Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 18:34:38 MSK Mon Feb 9 2015
 clogHistoryEntry.6.453 = 387326648

MSK-c3945-PE1#no deb all
All possible debugging has been turned off

Beginner

It has been a long time, but

It has been a long time, but I also add the following to my config.

 

login block-for 15 attempts 15 within 60
login on-failure log
login on-success log

I also have it enabled:MSK

I also have it enabled:

MSK-c3945-PE1#sh run | i login on
login on-failure log
login on-success log

but i recieve only traps for 'login_failed' event. No other messages from CISCO-SYSLOG-MIB...

On my catalyst swithes (like 3750, 2960, etc...) it's works normally with same configuration.

 

Hall of Fame Cisco Employee

Post the output of "show logg

Post the output of "show logg"

I had recheck my

I had recheck my configuration, and try to generate events with LOGIN_SUCCESS, LOGIN_FAILED,

MSK-c3945-PE1#sh run | i snmp.*syslog
snmp-server enable traps syslog

MSK-c3945-PE1#sh run | i logg
logging buffered 512000
logging history notifications

 

MSK-c3945-PE1#term mon
Feb 11 2015 13:00:49.697 MSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 13:00:49 MSK Wed Feb 11 2015
MSK-c3945-PE1#

Feb 11 2015 13:02:23.017 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rmavrichev] [Source: 10.0.10.169] [localport: 23] at 13:02:23 MSK Wed Feb 11 2015

MSK-c3945-PE1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
MSK-c3945-PE1(config)#end

Feb 11 2015 13:02:37.105 MSK: %SYS-5-CONFIG_I: Configured from console by rmavrichev on vty0 (10.0.10.169)
MSK-c3945-PE1#sh logg
Syslog logging: enabled (0 messages dropped, 18 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


    Console logging: level debugging, 10763 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 2294 messages logged, xml disabled,
                     filtering disabled
        Logging to: vty644(3)
    Buffer logging:  level debugging, 1656 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (8192 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 9766 message lines logged
        Logging Source-Interface:       VRF Name:
          
Log Buffer (512000 bytes):

Feb 11 2015 13:00:49.697 MSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 13:00:49 MSK Wed Feb 11 2015
Feb 11 2015 13:02:23.017 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rmavrichev] [Source: 10.0.10.169] [localport: 23] at 13:02:23 MSK Wed Feb 11 2015
Feb 11 2015 13:02:37.105 MSK: %SYS-5-CONFIG_I: Configured from console by rmavrichev on vty0 (10.0.10.169)
MSK-c3945-PE1#
MSK-c3945-PE1#
Feb 11 2015 13:02:58.841 MSK: %SYS-6-LOGOUT: User rmavrichev has exited tty session 646(10.0.10.169)
MSK-c3945-PE1#
Feb 11 2015 13:03:20.693 MSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 13:03:20 MSK Wed Feb 11 2015
MSK-c3945-PE1#

On my NMS i see only one trap recieved:

13:03:20 2015/02/11 ZBXTRAP 10.77.2.1
VARBINDS:
  DISMAN-EVENT-MIB::sysUpTimeInstance type=67 value=Timeticks: (402618944) 46 days, 14:23:09.44
  SNMPv2-MIB::snmpTrapOID.0      type=6  value=OID: CISCO-SYSLOG-MIB::clogMessageGenerated
  CISCO-SYSLOG-MIB::clogHistFacility.461 type=4  value=STRING: "SEC_LOGIN"
  CISCO-SYSLOG-MIB::clogHistSeverity.461 type=2  value=INTEGER: 5
  CISCO-SYSLOG-MIB::clogHistMsgName.461 type=4  value=STRING: "LOGIN_FAILED"
  CISCO-SYSLOG-MIB::clogHistMsgText.461 type=4  value=STRING: "Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 13:03:20 MSK Wed Feb 11 2015"
  CISCO-SYSLOG-MIB::clogHistTimestamp.461 type=67 value=Timeticks: (402618944) 46 days, 14:23:09.44

 

Hall of Fame Cisco Employee

This sounds like CSCtg26052. 

This sounds like CSCtg26052.  It is fixed, but I'm not sure what code you're currently running.

One of last:System restarted

One of last:

System restarted at 22:40:27 MSK Fri Dec 26 2014
System image file is "flash0:c3900-universalk9-mz.SPA.154-3.M.bin"

Hall of Fame Cisco Employee

In newer code, make sure you

In newer code, make sure you have:

 

logging snmp-trap 0 7

 

Configured if you want to receive all traps.  If you just want to add notifications, then add:

 

logging snmp-trap noti

 With "logging snmp-trap

 

With "logging snmp-trap notifications"

now it works fine:


10:35:27 2015/02/16 ZBXTRAP 10.77.2.1
VARBINDS:
  DISMAN-EVENT-MIB::sysUpTimeInstance type=67 value=Timeticks: (444931754) 51 days, 11:55:17.54
  SNMPv2-MIB::snmpTrapOID.0      type=6  value=OID: CISCO-SYSLOG-MIB::clogMessageGenerated
  CISCO-SYSLOG-MIB::clogHistFacility.564 type=4  value=STRING: "SEC_LOGIN"
  CISCO-SYSLOG-MIB::clogHistSeverity.564 type=2  value=INTEGER: 6
  CISCO-SYSLOG-MIB::clogHistMsgName.564 type=4  value=STRING: "LOGIN_SUCCESS"
  CISCO-SYSLOG-MIB::clogHistMsgText.564 type=4  value=STRING: "Login Success [user: rmavrichev] [Source: 10.0.10.169] [localport: 22] at 10:35:27 MSK Mon Feb 16 2015"
  CISCO-SYSLOG-MIB::clogHistTimestamp.564 type=67 value=Timeticks: (444931754) 51 days, 11:55:17.54

THX.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards