07-28-2021 04:05 PM
Greetings
We've been setting up our switches with a central logging server and on a 2960x we get both a failure and success syslog message for each successful login over ssh:
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 210 messages logged, xml disabled, filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled No active filter modules. Trap logging: level informational, 199 message lines logged Logging to x.x.x.x (udp port 1515, audit disabled, link up), 25 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled Logging Source-Interface: VRF Name: Log Buffer (4096 bytes): down Jul 27 21:52:56.594 PDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/52, changed state to down Jul 27 21:59:54.999 PDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/52, changed state to up Jul 27 21:59:56.002 PDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/52, changed state to up Jul 28 15:15:07.752 PDT: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x port 1515 stopped - CLI initiated Jul 28 15:15:08.829 PDT: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) Jul 28 15:15:29.417 PDT: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x port 0 CLI Request Triggered Jul 28 15:15:30.364 PDT: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) Jul 28 15:15:30.563 PDT: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x port 1515 started - CLI initiated Jul 28 15:20:29.749 PDT: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) Jul 28 15:20:39.770 PDT: %SYS-6-LOGOUT: User admin has exited tty session 1(x.x.x.x) Jul 28 15:20:46.289 PDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 15:20:46 PDT Wed Jul 28 2021 Jul 28 15:20:47.747 PDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: x.x.x.x] [localport: 22] at 15:20:47 PDT Wed Jul 28 2021 Jul 28 15:21:10.600 PDT: %SYS-6-LOGOUT: User admin has exited tty session 1(x.x.x.x) Jul 28 15:21:18.136 PDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 15:21:18 PDT Wed Jul 28 2021 Jul 28 15:21:20.499 PDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: x.x.x.x] [localport: 22] at 15:21:20 PDT Wed Jul 28 2021 Jul 28 15:21:55.233 PDT: %SYS-6-LOGOUT: User admin has exited tty session 1(x.x.x.x) Jul 28 15:29:00.038 PDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 15:29:00 PDT Wed Jul 28 2021 Jul 28 15:29:05.519 PDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: x.x.x.x] [localport: 22] at 15:29:05 PDT Wed Jul 28 2021 Jul 28 15:30:34.317 PDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 15:30:34 PDT Wed Jul 28 2021 Jul 28 15:30:36.942 PDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: x.x.x.x] [localport: 22] at 15:30:36 PDT Wed Jul 28 2021 Jul 28 15:31:48.917 PDT: %SYS-6-LOGOUT: User admin has exited tty session 1(x.x.x.x) Jul 28 15:31:55.457 PDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 15:31:55 PDT Wed Jul 28 2021 Jul 28 15:31:58.896 PDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: x.x.x.x] [localport: 22] at 15:31:58 PDT Wed Jul 28 2021 Jul 28 15:41:46.036 PDT: %SYS-6-LOGOUT: User admin has exited tty session 1(x.x.x.x)
each one of the above attemps were successful with no failures on the client-end. This is proving troublesome when setting up dashboards and alerts in Graylog. Any ideas?
Thanks folks
07-28-2021 04:26 PM
each one of the above attemps were successful with no failures on the client-end. This is proving troublesome when setting up dashboards and alerts in Graylog. Any ideas?
Not sure we understand the requirement, we do see logs show failed ?
Jul 28 15:31:55.457 PDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 15:31:55 PDT Wed Jul 28 2021
If you sending the Logs to a Syslog server like Graylog, you need to make a script to cumulative figure for the dashboard or alerts based on the repeated failures in the span of 5minute more than X numbers. (this is a generic example, but like to hear your requirement).
07-29-2021 12:44 PM
Hi BB. Thanks for responding!
I was just wondering why the switch logs a failed attempt for every successful login. When I login to the switch, it logs a failed attempt then logs the successful attempt 2 seconds later. Why would it log a failure if there were no failed attempts?
Thank you
07-29-2021 02:19 PM
This is an unusual situation. Can you provide details of how authentication is configured?
I am wondering if perhaps authentication specifies 2 authentication servers with one as primary and the other as secondary. Is it possible that when you attempt SSH that an authentication request is sent to the primary server but has an error that results in failure message and then is sent to the secondary server which successfully authenticates?
In addition to seeing configuration details it might be helpful to run debug for aaa authentication and also debug for the authentication protocol (radius or tacacs). The debug output might provide insight into what is happening.
07-29-2021 06:31 PM
Now I understand the concern here, for we need to have your config, order of AAA operation, can you post-show run here to understand the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide