Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3648
Views
0
Helpful
5
Replies

Syslogging SSH failed login attempts

zirbo
Level 1
Level 1

‎07-20-2005 09:29 AM

Hi, everyone

What do I need to setup to be able to see in the syslog file the messages like these:

*Mar 20 20:33:49.348 UTC: SSH0: password authentication failed for prelz

*Mar 20 20:33:49.348 UTC: SSH0: AAA authentication fail reason: Password:

that I can see in the sh log output.

I do receive syslog notifications - for instance - ACL entries related to permitted SSH traffic for the specified interface.

BR,

Dragos

Labels:
0 Helpful
5 Replies 5

nhabib
Level 9
Level 9

‎07-20-2005 10:37 AM

You need to configure the ip address of the server that is supposed to receive the syslog messages.

Something like: logging 10.10.10.10

0 Helpful

zirbo
Level 1
Level 1
In response to nhabib

‎07-21-2005 12:27 AM

Like I said - I do receive log messages on my Syslog server - but not related to SSH auth attempts.

This is about tuning the logging content not the destination of the messages.

Thanks,

Dragos

0 Helpful

nhabib
Level 9
Level 9
In response to zirbo

‎07-21-2005 04:10 AM

What is the logging level that you have set on the device?

What is the logging level of the SSH message?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to nhabib

‎07-21-2005 09:20 AM

It looks to me like those were debugging messages. To get those messages to your syslog server you would need the command:

logging trap debugging

in addition to your other commands for syslog.

To do this would also mean that you need to leave debugging on all the time.

Depending on what you are trying to achieve you might get what you need from the failed attempts report from ACS (assuming that you are authenticating to an ACS server).

HTH

Rick

HTH

Rick
0 Helpful

zirbo
Level 1
Level 1
In response to Richard Burts

‎07-21-2005 11:35 PM

Hi, everybody

The thing is - I could see these messages in the buffered log, but not on the Syslog messages sent to the logging server, so I assume this was related to different levels of logging detail for these 2 destinations.

It seems logging trap debugging works fine for what I need - it sets the logging level of Syslog messages at the debugging level (7 - most explicit).

The messages I was looking for are probably severity level 7 (debugging).

These notifications are created anyway when the event occurs, turning debugging on/of (using debug * commands) I believe is only about showing these messages on a specific display (console / VTY / etc.)

So turning debugging on was not necessary in my case, as I did not want to see these messages in real time on either the Console or a VTY line.

Thanks for the feedback,

Dragos

0 Helpful
Customers Also Viewed These Support Documents