08-30-2017 12:00 PM - edited 03-08-2019 11:53 AM
Hi,
I want to enable ssh/telnet logs when somebody login/logout to Rtr/SW , I have used the follwoing commands , but it is not working on all routers specially when someone logout from the session ,
Rtr(config)# logging host <syslogs ip address>
Rtr(config)# logging trap 6
Rtr(config)# logging on
Rtr(config)# login on-failure log
Rtr(config)# login on-failure trap
Rtr(config)# login on-success log
Rtr(config)# login on-success trap
-for router 2900 series the logout session working well and it gives me the following message at the syslogs server:
Wed Aug 23 13:03:36 2017;192.168.1.1; <190>217: *Aug 23 10:00:16.426: %SYS-6-LOGOUT: User admin has exited tty session 388(192.168.2.183)
unfortunately I dont know why it does not work on 2800 series for the same config , syslogs server receive nothing when somebody logout from telent/ssh session .
Line vty config as follow:
line vty 0 4
privileg level 15
login local
login
transport input telnet ssh
Thanks for your help
success
08-30-2017 12:21 PM
Hi
As another option look at Keith Barkers post on EEM in this link for doing the same , i havent got any 28s anymore to test with but looking at your syntax it looks correct , maybe your hitting some odd bug on the 2800
09-01-2017 09:03 AM - edited 09-01-2017 09:21 AM
As far as I understood , log message should appear on the console (console loggin and terminal logging) after that I can use EEM , my problem was "Logout" message of Telnet/ssh does not appear at all at the console logs , if the Telnet/ssh got session timeout the following message succesfully appear on the console:
%SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 0 (0.0.0.0)), user
but nothing appear at all for "Logout" or when exit the Telnet/ssh session (I mean the following message )
%SYS-6-LOGOUT: User admin has exited tty session 388(192.168.2.183)
This issue related to Rtr 2800 series , 2900 working fine
Thank you for your help
09-01-2017 09:27 AM
personally i would try a different software code on one of the 28s and see if the issue is just related to the current code , it could be an odd bug your hitting, i dont see any other reason why it would work on 29s but not 28s
09-01-2017 12:58 PM
Yes already upgraded to the latest ios version with no difference
09-01-2017 03:17 PM - edited 09-01-2017 03:22 PM
Hi
In order to register the logs for SSH, you must configure:
ip ssh logging event
Also I recommend use archive command:
archive
log config
logging enable
logging size 300
notify syslog contenttype plaintext
hidekeys
logging buffered <size>
It will help you to see all the users and changes made on your devices.
Hope it is useful
:-)
09-01-2017 04:09 PM - edited 09-02-2017 07:33 PM
.
09-01-2017 05:42 PM - edited 09-01-2017 05:44 PM
Hi
You can try enabling the following commands:
router# terminal monitor
then
configure terminal
logging monitor (5 o 6)
09-01-2017 07:17 PM
Unfortunately still not working , only the following message appears when telnet timeout occurred:
"%SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 0 (0.0.0.0)), user"
09-01-2017 07:33 PM - edited 09-01-2017 07:35 PM
I would strongly recommend disabling telnet. Having said that, I know there are some business cases where disabling telnet causes operational issues, so moving on....
Have you tried this?
Catalyst3850-IOS_XE_3.7.0E(config)# logging buffered 7
I'm not sure if your device has that syntax, but in any event that turns on "debug" level logging to syslog. It's turns on a MASSIVE amount of logging (25MB per day on each Nexus 9372PX-E where I have it standard on all my units), so use it judiciously, but if that works then that should be able to at least get you started and you can perhaps enable logging filter, or use lower-level logging.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide