Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4704
Views
5
Helpful
3
Replies

Syslog SSH_Close

Go to solution
lmontalvanr
Level 1
Level 1

‎03-11-2016 09:09 AM - edited ‎03-05-2019 03:32 AM

Hi all.
It was he setting a cisco switch 2960S, the ssh logging, the configuration I have is:

logging trap notifications
logging x.x.x.x
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps vlan-membership
snmp-server enable traps mac-notification change move threshold
snmp-server host x.x.x.x version 2c public
snmp-server host x.x.x.x version 2c public  tty config entity cpu syslog stackwise mac-notification snmp

Additionally


login on-failure log every 1
login on-success log every 1
ip sla enable reaction-alerts
logging history notifications
logging trap debugging
logging facility local4
ip ssh logging event

In the log, shows me the following

11:49:52 2016/03/11 SNMPv2-SMI::enterprises.9.9.41.2.0.1 Normal "Status Events" x.x.x.x - ZBXTRAP x.x.x.x
 clogHistFacility  : SSH
 clogHistSeverity  : 6
 clogHistMsgName   : SSH2_SESSION
 clogHistMsgText   : SSH2 Session request from x.x.x.x (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
 clogHistTimestamp : 61:14:30:02.43

 clogHistFacility  : SEC_LOGIN
 clogHistSeverity  : 6
 clogHistMsgName   : LOGIN_SUCCESS
 clogHistMsgText   : Login Success [user:xxxx] [Source: x.x.x.x] [localport: 22] at 14:30:12 UTC Sat May 1 1993
 clogHistTimestamp : 61:14:30:12.85

11:50:03 2016/03/11 SNMPv2-SMI::enterprises.9.9.41.2.0.1 Normal "Status Events" x.x.x.x - ZBXTRAP 172.18.0.23
 clogHistFacility  : SSH
 clogHistSeverity  : 6
 clogHistMsgName   : SSH2_USERAUTH
 clogHistMsgText   : User 'xxx' authentication for SSH2 Session from x.x.x.x (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
 clogHistTimestamp : 61:14:30:12.85

When I exit the terminal ssh, ssh does not show the SSH2_Close, to know when the user disconnected

I need to configure something else?

I hope you can help me..

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to lmontalvanr

‎03-14-2016 08:39 AM

Fantastic! Glad the upgrade solved the problem! Thank you for taking the time to post back and let us know that the issue was with that version of code (+5 from me). 

Since your issue is resolved, you should mark the thread as "answered" :)

Thank you for rating helpful posts!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎03-12-2016 08:37 AM

Hmm, your config looks good. I just tested this in my lab and I ams seeing the following log message:

Mar 12 16:15:29.245: %SSH-5-SSH2_CLOSE: SSH2 Session from x.x.x.x (tty = 0) for user 'removed' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed

Here is my config

Perhaps you are hitting a bug?

NS-3560c-01# sh run | i logging
logging buffered informational
logging console warnings
ip ssh logging events
logging source-interface Vlan30
logging host x.x.x.x

Thank you for rating helpful posts!

0 Helpful

Go to solution
lmontalvanr
Level 1
Level 1
In response to nspasov

‎03-14-2016 07:37 AM

Hi Neno.

First thank you for your help. I added the command "logging buffered informational" and "configure warnings" and the problem was the same.

As I have another 2960S, updated the IOS version 12.2 (55) SE7 and began to run correctly.

Apparently version 12.2 (55) SE5 has a bug with SSH, being you need to upgrade to a higher version.

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to lmontalvanr

‎03-14-2016 08:39 AM

Fantastic! Glad the upgrade solved the problem! Thank you for taking the time to post back and let us know that the issue was with that version of code (+5 from me). 

Since your issue is resolved, you should mark the thread as "answered" :)

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card