cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1241
Views
0
Helpful
8
Replies

Syslog configuration on a 6009 (Running IOS)

cisco
Level 1
Level 1

I am running the latest 12.1 IOS on my 6009 and I was wondering if I can configure syslog to tell me when someone logs in or out of the switch? Would I need to change anything with the logging facility (don't think I need to)?

Right now I have the following set for logging...

Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes

0 overruns)

Console logging: disabled

Monitor logging: level emergencies, 0 messages logged

Buffer logging: disabled

Exception Logging: size (4096 bytes)

Trap logging: level debugging, 6601 message lines logged

Logging to x.x.x.x, 6601 message lines logged

8 Replies 8

Mark Yeates
Level 7
Level 7

Typically you would want to use TACACS to log access to your devices. There is a command to log successful, and unsuccessful connection attempts to your switch. Unfortunately your IOS is not current enough to support the commands. You also might try setting your logging buffer to informational, and it should log when users log into the switch. I do recommend using TACACS.

login on-failure log

login on-success log

Hope this helps

Mark

I have tried this on my 3750 and the command is there. I am not seeing anything in syslog though. Here are my settings:

login block-for 30 attempts 30 within 100

login delay 5

login on-failure log

login on-success log

...

no logging buffered

no logging console

no logging monitor

logging 1.2.3.4

I have messages going to syslog, but login messages are not appearing.

Try adding the "logging trap notifications" command.

Mark

I tried that command and it didn't work. Do I need AAA turned on to properly use this or will the standard logins work? I think AAA is ringing a bell, but not 100%.

You shouldn't have to use AAA, as long as you are using a local account with a username and password.

I just use the normal password and enable secret. I do not currently use usernames.

You will want to configure a username and password for it to log access to the switch.

glen.grant
VIP Alumni
VIP Alumni

Right now you have buffer logging disabled so you won't be able to look at anything locally on the box the way it is . As the other person said what you are requested is normally handled thru an authentication server whether tacacs or radius. You need to turn buffer logging on the box and don't use the defaults they are much too small , I would make it at least 3-4 times the default of 4096 at the very least.