06-11-2008 12:53 PM - edited 03-05-2019 11:34 PM
I am running the latest 12.1 IOS on my 6009 and I was wondering if I can configure syslog to tell me when someone logs in or out of the switch? Would I need to change anything with the logging facility (don't think I need to)?
Right now I have the following set for logging...
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes
0 overruns)
Console logging: disabled
Monitor logging: level emergencies, 0 messages logged
Buffer logging: disabled
Exception Logging: size (4096 bytes)
Trap logging: level debugging, 6601 message lines logged
Logging to x.x.x.x, 6601 message lines logged
06-11-2008 02:21 PM
Typically you would want to use TACACS to log access to your devices. There is a command to log successful, and unsuccessful connection attempts to your switch. Unfortunately your IOS is not current enough to support the commands. You also might try setting your logging buffer to informational, and it should log when users log into the switch. I do recommend using TACACS.
login on-failure log
login on-success log
Hope this helps
Mark
06-13-2008 10:43 AM
I have tried this on my 3750 and the command is there. I am not seeing anything in syslog though. Here are my settings:
login block-for 30 attempts 30 within 100
login delay 5
login on-failure log
login on-success log
...
no logging buffered
no logging console
no logging monitor
logging 1.2.3.4
I have messages going to syslog, but login messages are not appearing.
06-13-2008 11:41 AM
Try adding the "logging trap notifications" command.
Mark
06-13-2008 11:51 AM
I tried that command and it didn't work. Do I need AAA turned on to properly use this or will the standard logins work? I think AAA is ringing a bell, but not 100%.
06-13-2008 12:08 PM
You shouldn't have to use AAA, as long as you are using a local account with a username and password.
06-13-2008 12:10 PM
I just use the normal password and enable secret. I do not currently use usernames.
06-13-2008 12:22 PM
You will want to configure a username and password for it to log access to the switch.
06-14-2008 01:58 AM
Right now you have buffer logging disabled so you won't be able to look at anything locally on the box the way it is . As the other person said what you are requested is normally handled thru an authentication server whether tacacs or radius. You need to turn buffer logging on the box and don't use the defaults they are much too small , I would make it at least 3-4 times the default of 4096 at the very least.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide