Re: AAA syslog IDs not showing up in Syslog server

ethutchinson · ‎12-18-2023

We have two FTD 1140Ns in an HA environment managed by a FMCv. Both are running 7.2.5. I setup a flexconfig statement to do

"aaa local authentication attempts max-fail 5"

We have seen the command work during a production day. We then run "clear aaa local user lockout username username" to clear it.
Weird thing is I can see in the syslog the user attempting to put in their password incorrectly (syslog id 113015). I do not see the user get locked out (syslog id 113006) or the unlock we do (syslog id 113007).

Like I mentioned the unlock works. I was trying to setup a syslog event based alert to let us know about the lockout itself and I was hoping to base it off syslog id 113006.

Any ideas?

MHM Cisco World · ‎12-19-2023

can you try increase the logging queue
then check again
MHM

ethutchinson · ‎12-19-2023

MHM,

Would that be under platform settings, syslog, logging setup?

MHM Cisco World · ‎12-19-2023

It already high

In syslog servers tab' increase the message queue also and check result.

MHM

Ruben Cocheno · ‎12-22-2023

@ethutchinson

Since you ship logs to a syslog/siem i would personally use a lower value as these local logs should be used only in very specific circumstances.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

balaji.bandi · ‎12-22-2023

So you do not see the user locked event generated, do you see use locked after the attempts done ?

syslog settings - check by any chance that event Id disabled ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help