Failed to Login Message in Syslog

PolarPanda · ‎09-18-2019

At below, it's the message I found in syslog, and this "junk" fills up the syslog. The source ip is Cisco Prime Infrastructure. I checked the switch login credential in CPI and it's correct. Can anyone tell me why the user name is empty and CPI tries to login without user name?

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.101.6.40] [localport: 23] [Reason: Login Authentication Failed]

Georg Pauwen · ‎09-18-2019

Hello,

I would delete and reenter the credentials, or if you use SSH, even zeroize the RSA key and reenter it as well.

In the meantime, if you want to keep these messages from filling up your logs, use the logging discriminator below:

logging discriminator SEC_LOGIN severity drops 4 LOGIN mnemonics drops LOGIN_FAILED
!
logging buffered discriminator SEC_LOGIN 100000
logging console discriminator SEC_LOGIN
logging monitor discriminator SEC_LOGIN

And if you have an external (syslog) server specified:

logging host 192.168.1.10 discriminator SEC_LOGIN

PolarPanda · ‎09-18-2019

It has the correct login credential, and I did receive emails when CPI login with the correct info. I can see the username in the syslog. I can try to delete the device then add it in CPI, but I'd prefer to know what cause the problem. Why does CPI try to login without username? Misconfig? Try to download running config?