cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23202
Views
20
Helpful
13
Replies

SNMP Trap: login on-success log/trap not working

j.shrewsbury
Level 1
Level 1

Greetings,

I have both on-success and on-failure logging setup per the below. The problem is that on-failure logins work just fine, they send a message to the router logs, then send an snmp trap to my trap receiver at 192.168.197.2. However, on-success logins send a message to the router logs, but never send an snmp trap? Based on the debug snmp packet (below) it does not even attempt to send out the trap. Any suggestions?

login block-for 15 attempts 15 within 60
login on-failure log
login on-success log

!

archive
log config
  logging enable
  notify syslog
  hidekeys

!

snmp-server enable traps syslog
snmp-server host 192.168.197.2 public  syslog

===============================================================

Router log with snmp packet/header debugging.

===============================================================

*Oct 16 09:32:27.260: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: neteng] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed - BadPassword] at 09:32:27 UTC Fri Oct 16 2009
*Oct 16 09:32:27.284: SNMP: Queuing packet to 192.168.197.2
*Oct 16 09:32:27.284:
Outgoing SNMP packet
*Oct 16 09:32:27.288: v1 packet
*Oct 16 09:32:27.288: community string: public
*Oct 16 09:32:27.288: SNMP: V1 Trap, ent ciscoSyslogMIB.2, addr 192.168.192.40, gentrap 6, spectrap 1
clogHistoryEntry.2.9 = SEC_LOGIN
clogHistoryEntry.3.9 = 5
clogHistoryEntry.4.9 = LOGIN_FAILED
clogHistoryEntry.5.9 = Login failed [user: neteng] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed - BadPassword] at 09:32:27 UTC Fri Oct 16 2009
clogHistoryEntry.6.9 = 694743
*Oct 16 09:32:27.537: SNMP: Packet sent via UDP to 192.168.197.2
*Oct 16 09:32:37.657: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: neteng] [Source: 0.0.0.0] [localport: 0] at 09:32:37 UTC Fri Oct 16 2009
*Oct 16 10:19:43.149: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: neteng] [Source: 0.0.0.0] [localport: 0] at 10:19:43 UTC Fri Oct 16 2009
Router#

1 Accepted Solution

Accepted Solutions

Joe Clarke
Cisco Employee
Cisco Employee

By default, the maximum severity sent as a syslog trap is warning.  That is why you see syslog traps for login failures.  Since a login success is sev 5 (notifications), those syslog messages will not be converted to traps.  To fix this, configure:

logging history 5

View solution in original post

13 Replies 13

jaypartest1
Level 1
Level 1

Trap setting is little bit tricky fair to attempt

Sent from Cisco Technical Support iPhone App

Anything else to add to that? I have had a case open with TAC for several days and still no answer as to why this does not work.

Joe Clarke
Cisco Employee
Cisco Employee

By default, the maximum severity sent as a syslog trap is warning.  That is why you see syslog traps for login failures.  Since a login success is sev 5 (notifications), those syslog messages will not be converted to traps.  To fix this, configure:

logging history 5

Thanks Joseph,

Adding "logging history 5" resolved the issue.

Roman Mavrichev
Level 1
Level 1

On cisco 3945, I  have enabled "logging history 5", but does`not receive traps for LOGIN_SUCCESS.

 

MSK-c3945-PE1#sh run | i logg
logging buffered 512000
logging history notifications

MSK-c3945-PE1#deb snmp packets
SNMP packet debugging is on

MSK-c3945-PE1#
Feb  9 2015 18:34:17.216 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 10.0.10.169] [localport: 22] at 18:34:17 MSK Mon Feb 9 2015

MSK-c3945-PE1#
Feb  9 2015 18:34:38.236 MSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 18:34:38 MSK Mon Feb 9 2015

MSK-c3945-PE1#
Feb  9 2015 18:34:38.236 MSK: SNMP: Queuing packet to 10.78.3.4
Feb  9 2015 18:34:38.236 MSK: SNMP: V2 Trap, reqid 364524, errstat 0, erridx 0
 sysUpTime.0 = 387326648
 snmpTrapOID.0 = ciscoSyslogMIB.2.0.1
 clogHistoryEntry.2.453 = SEC_LOGIN
 clogHistoryEntry.3.453 = 5
 clogHistoryEntry.4.453 = LOGIN_FAILED
 clogHistoryEntry.5.453 = Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 18:34:38 MSK Mon Feb 9 2015
 clogHistoryEntry.6.453 = 387326648

MSK-c3945-PE1#no deb all
All possible debugging has been turned off

It has been a long time, but I also add the following to my config.

 

login block-for 15 attempts 15 within 60
login on-failure log
login on-success log

I also have it enabled:

MSK-c3945-PE1#sh run | i login on
login on-failure log
login on-success log

but i recieve only traps for 'login_failed' event. No other messages from CISCO-SYSLOG-MIB...

On my catalyst swithes (like 3750, 2960, etc...) it's works normally with same configuration.

 

Post the output of "show logg"

I had recheck my configuration, and try to generate events with LOGIN_SUCCESS, LOGIN_FAILED,

MSK-c3945-PE1#sh run | i snmp.*syslog
snmp-server enable traps syslog

MSK-c3945-PE1#sh run | i logg
logging buffered 512000
logging history notifications

 

MSK-c3945-PE1#term mon
Feb 11 2015 13:00:49.697 MSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 13:00:49 MSK Wed Feb 11 2015
MSK-c3945-PE1#

Feb 11 2015 13:02:23.017 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rmavrichev] [Source: 10.0.10.169] [localport: 23] at 13:02:23 MSK Wed Feb 11 2015

MSK-c3945-PE1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
MSK-c3945-PE1(config)#end

Feb 11 2015 13:02:37.105 MSK: %SYS-5-CONFIG_I: Configured from console by rmavrichev on vty0 (10.0.10.169)
MSK-c3945-PE1#sh logg
Syslog logging: enabled (0 messages dropped, 18 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


    Console logging: level debugging, 10763 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 2294 messages logged, xml disabled,
                     filtering disabled
        Logging to: vty644(3)
    Buffer logging:  level debugging, 1656 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (8192 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 9766 message lines logged
        Logging Source-Interface:       VRF Name:
          
Log Buffer (512000 bytes):

Feb 11 2015 13:00:49.697 MSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 13:00:49 MSK Wed Feb 11 2015
Feb 11 2015 13:02:23.017 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rmavrichev] [Source: 10.0.10.169] [localport: 23] at 13:02:23 MSK Wed Feb 11 2015
Feb 11 2015 13:02:37.105 MSK: %SYS-5-CONFIG_I: Configured from console by rmavrichev on vty0 (10.0.10.169)
MSK-c3945-PE1#
MSK-c3945-PE1#
Feb 11 2015 13:02:58.841 MSK: %SYS-6-LOGOUT: User rmavrichev has exited tty session 646(10.0.10.169)
MSK-c3945-PE1#
Feb 11 2015 13:03:20.693 MSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 13:03:20 MSK Wed Feb 11 2015
MSK-c3945-PE1#

On my NMS i see only one trap recieved:

13:03:20 2015/02/11 ZBXTRAP 10.77.2.1
VARBINDS:
  DISMAN-EVENT-MIB::sysUpTimeInstance type=67 value=Timeticks: (402618944) 46 days, 14:23:09.44
  SNMPv2-MIB::snmpTrapOID.0      type=6  value=OID: CISCO-SYSLOG-MIB::clogMessageGenerated
  CISCO-SYSLOG-MIB::clogHistFacility.461 type=4  value=STRING: "SEC_LOGIN"
  CISCO-SYSLOG-MIB::clogHistSeverity.461 type=2  value=INTEGER: 5
  CISCO-SYSLOG-MIB::clogHistMsgName.461 type=4  value=STRING: "LOGIN_FAILED"
  CISCO-SYSLOG-MIB::clogHistMsgText.461 type=4  value=STRING: "Login failed [user: rrr] [Source: 10.0.10.169] [localport: 23] [Reason: Login Authentication Failed] at 13:03:20 MSK Wed Feb 11 2015"
  CISCO-SYSLOG-MIB::clogHistTimestamp.461 type=67 value=Timeticks: (402618944) 46 days, 14:23:09.44

 

This sounds like CSCtg26052.  It is fixed, but I'm not sure what code you're currently running.

One of last:

System restarted at 22:40:27 MSK Fri Dec 26 2014
System image file is "flash0:c3900-universalk9-mz.SPA.154-3.M.bin"

In newer code, make sure you have:

 

logging snmp-trap 0 7

 

Configured if you want to receive all traps.  If you just want to add notifications, then add:

 

logging snmp-trap noti

 

With "logging snmp-trap notifications"

now it works fine:


10:35:27 2015/02/16 ZBXTRAP 10.77.2.1
VARBINDS:
  DISMAN-EVENT-MIB::sysUpTimeInstance type=67 value=Timeticks: (444931754) 51 days, 11:55:17.54
  SNMPv2-MIB::snmpTrapOID.0      type=6  value=OID: CISCO-SYSLOG-MIB::clogMessageGenerated
  CISCO-SYSLOG-MIB::clogHistFacility.564 type=4  value=STRING: "SEC_LOGIN"
  CISCO-SYSLOG-MIB::clogHistSeverity.564 type=2  value=INTEGER: 6
  CISCO-SYSLOG-MIB::clogHistMsgName.564 type=4  value=STRING: "LOGIN_SUCCESS"
  CISCO-SYSLOG-MIB::clogHistMsgText.564 type=4  value=STRING: "Login Success [user: rmavrichev] [Source: 10.0.10.169] [localport: 22] at 10:35:27 MSK Mon Feb 16 2015"
  CISCO-SYSLOG-MIB::clogHistTimestamp.564 type=67 value=Timeticks: (444931754) 51 days, 11:55:17.54

THX.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: