Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
85
Views
0
Helpful
3
Replies

Ruddy Successful/Unsuccessful SSH Logins

WMA Hell
Level 1
Level 1

‎07-18-2024 09:24 AM

My router logs are filled with 

Feb 16 19:36:14.980 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] at 19:36:14 EDT Thu Feb 16 2023
Feb 16 19:36:14.981 EDT: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from x.x.x.x (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Failed
Feb 16 19:36:14.981 EDT: %SSH-5-SSH2_CLOSE: SSH2 Session from x.x.x.x (tty = 0) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' closed
Feb 16 19:38:10.669 EDT: %SSH-5-SSH2_SESSION: SSH2 Session request from x.x.x.x (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha1' Succeeded

 

I have the following configured. 

Router#sh run | i login
aaa authentication login default group Salt group Pepper local enable
login block-for 100 attempts 15 within 100
login delay 5
login on-failure log every 3
login on-success log
banner login ^CC

Router#sh run | inc ssh
ip ssh maxstartups 10
ip ssh time-out 30
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
transport input ssh
transport input ssh

 

How do I redirect this to our logging server and stop it from filling up the syslog?

 

 

Labels:
0 Helpful
3 Replies 3

Torbjørn
Spotlight
Spotlight

‎07-18-2024 09:49 AM

You can configure a "message discriminator" to suppress these, but that will also remove them from what is sent to the syslog server:

https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/syst-mgmt/b-system-management/m_reliable-del-filter-0.html

Alternatively you can try to find out why you are getting so many of these entries. My guess would be that you either have some management tool that is misconfigured and failing, or your router management interface(s) might be exposed to an untrusted network. If it is the second you should consider configuring an access-class for your VTY(https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221107-filter-traffic-destined-to-cisco-ios-xe.html) and maybe configure an access-list on your WAN interface if that is where this is where the login attempts are originating.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

MHM Cisco World
VIP
VIP

‎07-18-2024 10:00 AM

show log
see level for monitor and console is which level make it less than 4 and that it 
the  log will send to server and not appear in terminal 

MHM

0 Helpful

WMA Hell
Level 1
Level 1
In response to MHM Cisco World

‎07-18-2024 10:13 AM

Router#sh log
Syslog logging: enabled (0 messages dropped, 5 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 783 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card