07-31-2018 11:06 PM - edited 03-08-2019 03:47 PM
Hello Experts,
I wanted to know which username and IP logged in cisco switch two days ago and whcih commands he/she used!!!
Is there any possibility to find-out!!
Thanks
08-01-2018 12:09 AM
Hi there,
Do you have any functioning aaa accounting methods configured? Or configuration change notification and logging setup?
Without either of these you will not be able to trace users and cofiguratio changes.
cheers,
Seb.
08-01-2018 12:11 AM
no aaa accounting is not configured.
Thanks
08-01-2018 12:34 AM
OK, but do you have the configuration change logger enabled?
08-01-2018 01:05 AM
no i dont. Is there any command whcih can show us the computername/IP logged in to switch few days ago:
i found few commands but that are not sufficient.. show configuration history & sh history all
Thanks
08-01-2018 02:39 AM
Two configurations commands which would be of use are:
! login on-success log login on-failure log !
However adding these retrospectivley is not going to help you now.
I think without any of the commands suggested so far being in place before the incident you will not be able to trace the user/ IP.
Sorry.
cheers,
Seb.
08-01-2018 11:50 AM
I agree with Sub that based on what you have told us about your environment that it is not possible to find out who logged in several days ago. The suggestion of login on-success log is a starting place but I would suggest that configuring aaa accounting would be a much better solution (assuming that you do have an aaa server that could receive and store the accounting records). The usefulness of login on-success log depends on how/whether logging is enabled (which we do not know) and unless you are sending your syslog messages to an external log server a reboot of your router would put you back in the situation where you can not determine who logged in days ago.
HTH
Rick
08-01-2018 02:56 PM - edited 08-01-2018 03:01 PM
Hello
Just like to add to Seb's suggestion, You'll also need to enable login attacks for this to work successfully
Example:
sh login | be Router
Router NOT enabled to watch for login Attacks
conf t
login block-for 300 attempts 3 within 180
end
sh login | be Router
Router enabled to watch for login Attacks.
If more than 3 login failures occur in 180 seconds or less,
logins will be disabled for 300 seconds.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide