Logging telnet session with syslog.

sweeann · ‎09-02-2003

I'm trying to log telnet sessions using syslog and have configured the following:

ip access-list extended testaccess

permit tcp 202.162.31.0 0.0.0.255 host 0.0.0.0 eq telnet log-input

line vty 0 4

access-class testaccess in

Looking at the syslog this is the only entry I got when I telnet to the router:

367: *Aug 31 19:48:17.274: %SEC-6-IPACCESSLOGP: list testaccess permitted tcp 202.162.31.121(43264) -> 0.0.0.0(23), 1 packet

Can I see more info, for instance, the username that was trying to telnet to the router? Can the log also show failed attempts due to unauthorise username?

Thanks.

pvanvuuren · ‎09-02-2003

Hi sweeann

Using access-list with the log-input command for logging telnet access will only report ip packets that match the access-list.

Assuming you want have "tighter" control and security in regards to telnet activity I suggest you use configure AAA and use Cisco Secure ACS as a reporting tool for Authenticaiton failures and Configuration activities. ACS can give passed authentication, failed authentication, authorization control and accounting information as to what was the config lines entered on to the router/switch. Use Tacacs+, since radius is better with PPP sessions.

What you can do with syslog; is to log the telnet session once a configuration change has been made. To do this, your logging trap level need to be set to "informational".

Router#(conf)logging buffered 8000 debugging

Router#(conf)logging 10.1.1.1

Router#(conf)logging trap 5

This configuration will be able to send a syslog message to your NMS the moment a telnet user makes a config change, since the severity matches level 5. It will look like this: Sep 1 15:09:54.698: %SYS-5-CONFIG_I: Configured from console by joesoap on vty0 (10.1.X.X)

Hope this helps.