03-18-2013 04:23 AM - edited 03-11-2019 06:15 PM
Dear Experts,
I am facing an issue for syslog messages that is not getting logged with user login information. Firewall is configured in multi-context mode.
Admin context is configured with syslog configuration and i am getting the local syslog messages about the user login information.
I did the same syslog server configuration for other contexts , but the local syslog message doesnt have the user information.
Could you kindly advice whether any limitation exists for multicontext firewall logging ?
Kind advice.
Solved! Go to Solution.
03-22-2013 12:02 PM
03-18-2013 01:06 PM
Does this happen when you access the context directly or when you are coming from the "system" context?
What is the log ID that you are refering to?
Can you provide a sample of both logs? With and without the user information.
03-19-2013 12:01 AM
Hi Jocamare,
Thanks for your reply.
Let me clarfiy you more about this.
I have two context now , Admin and one customer context. Each context is having the dedicated management interface vlan.
When i am trying to access Admin context directly through managment interface , it will show the local syslog message with login user information.But when i am trying the same for customer context through the management interface , syslog message is not showing the login user information , eventhough the syslog configuration is same on both the context.
The log ID that i am refering is %FWSM-6-605005 . Below is the sample log files that generated on admin context while login.
Mar 19 2013 09:37:00: %FWSM-6-605005: Login permitted from 10.10.2.10/62219 to management:192.168.
1.4/telnet for user "abc"
Mar 19 2013 09:37:10: %FWSM-5-502103: User priv level changed: Uname: abc From: 1 To: 15
Mar 19 2013 09:37:10: %FWSM-5-111008: User 'abc' executed the 'enable' command.
Mar 19 2013 09:37:12: %FWSM-7-111009: User 'abc' executed cmd: show running-config username
Mar 19 2013 09:37:22: %FWSM-7-111009: User 'abc' executed cmd: show running-config logging
Mar 19 2013 09:37:27: %FWSM-7-111009: User 'abc' executed cmd: show logging
Mar 19 2013 09:38:05: %FWSM-7-111009: User 'abc' executed cmd: show logging
Syslog configuration is Admin Context is shown below
logging enable
logging timestamp
logging buffer-size 104857
logging console informational
logging buffered debugging
logging trap notifications
logging facility 16
logging host management X.X.X.X
Syslog configuration is Customer Context is shown below
logging enable
logging timestamp
logging buffer-size 104857
logging console informational
logging monitor notifications
logging buffered debugging
logging trap notifications
logging asdm informational
logging facility 16
logging host management X.X.X.X
Note :- I am not able to get the any user log messages from customer context to paste it here.
Kind Regards,
03-19-2013 07:46 PM
Just tested this on my lab. 9.1(1)
It works for me.
Seems to me the reason why you are not seeing the information you need is because the telnet connections are not authenticating against any database. They just get in using the default telnet password.
What does the output of the "show run aaa" command from the client context show?
03-19-2013 11:31 PM
Thats good news...Below are the aaa commands from cleint context
From Cleint conext ( without AAA server)
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
Now i added the below aaa commands and i am able to get the user login info while telneting.
aaa authentication telnet console LOCAL
Could you please advice whether i missed any config commands
Kind Regards,
03-20-2013 12:18 AM
Not sure i understand the request, but yeah, you missed the "aaa authentication..." command.
Sent from Cisco Technical Support iPhone App
03-21-2013 02:20 AM
Thanks for your advice jocamare.
Now the issue of getting local syslog message with login user information is solved. But on syslog server i am not getting the severity informational messages.
Below are the syslog message in Local Buffer of firewall
Mar 20 2013 15:14:44: %FWSM-6-605005: Login permitted from 10.10.10.2/59698 to management:20.20.20.2/telnet for user "abc"
Mar 20 2013 15:18:43: %FWSM-5-502103: User priv level changed: Uname: abc From: 1 To: 15
Mar 20 2013 15:18:43: %FWSM-5-111008: User 'abc' executed the 'enable' command.
Below are the syslog message in syslog server logs.
Mar 20 15:18:00 20.20.20.2 Mar 20 2013 15:18:43: %FWSM-5-502103: User priv level changed: Uname: abc From: 1 To: 15
Mar 20 15:18:00 20.20.20.2 Mar 20 2013 15:18:43: %FWSM-5-111008: User 'abc' executed the 'enable' command.
Could you please advice , how can i get the message ID FWSM-6-605005 on syslog server ?
Kind Regards,
03-22-2013 12:02 PM
Try:
logging trap informational
03-26-2013 02:38 AM
Many thanks Jocamare...Its works fine now.
Kind Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide