Thank you

tedauction · ‎06-09-2016

Hello, on our 2960 and 3560 switches we would like to log 'user logon' events i.e. who logs on and when.

What is the best way to do this without incurring too much load on the device e.g. I was thinking of sys-logging 'informational', but then we would generate too many unnecessary events.

Is there any way just to log user logon events ?

Thanks kindly for any information.

Milos Megis · ‎06-09-2016

Hi, with command "logging userinfo" you can track changes of privilege level.

I don´t know command to track user log on.

tedauction · ‎06-10-2016

Hello, we have about 100 different Cisco switches. Would it be a good idea to set up TACACS/RADIUS authentication for log on to these switches ? Then we would have records of user logon events which is what we are trying to achieve.

What do you do for backup i.e. if the TACACS/RADIUS server is unreachable, we would need a backup method of switch logon.

Thanks for any info.

Milos Megis · ‎06-13-2016

If you have so many devices then RADIUS/TACACS will be better solution.
But I don´t know to help you with this.

However if you configure tacacs authentication (AAA), you can specify that in case when tacacs server will be unreachable, then switch should use local database (command: username xyz privilege 15 secret xxx).
If tacacs server is available then login from local database will not be accepted by switch.

Rolf Fischer · ‎06-13-2016

Hi,

a very simple solution would be to enable the global configuration commands

login on-failure log
login on-success log

The syslog severity levels are

Warning (4): %SEC_LOGIN-4-LOGIN_FAILED
Notice (5): %SEC_LOGIN-5-LOGIN_SUCCESS

There is also an option to send SNMP traps to your NMS:

login on-failure trap
login on-success trap

HTH
Rolf

Milos Megis · ‎06-13-2016

Thank you

alchemy · ‎02-09-2022

Hi Guys. How to do this for Cisco SG350X which does not run IOS? Thanks!