Log telnet connections to Cisco switches?
In my environment I have a variety of Catalyst switches with:
I have them dumping logs to a syslog server. I want to be able to log when someone connects to my switch. When I show log I see lots of the state change messages and messages when I update the config, but no connection logs.
How do I configure my Cisco Switch to log when someone telnet or SSH connects to it?
Thanks!
VIBT
IOS-XE 03.06.03E
IOS 12.2.53
IOS 12.2.35
I have them dumping logs to a syslog server. I want to be able to log when someone connects to my switch. When I show log I see lots of the state change messages and messages when I update the config, but no connection logs.
How do I configure my Cisco Switch to log when someone telnet or SSH connects to it?
Thanks!
VIBT
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are those logged to the console or are these showing when you do a show logg?
There should be something showing like:
057222: Apr 14 08:31:48: %SEC_LOGIN-4-LOGIN_FAILED:
There should be something showing like:
057222: Apr 14 08:31:48: %SEC_LOGIN-4-LOGIN_FAILED:
ASKER
When I show logg.
I am setup to just use a password to connect and another for enable. Will that make a difference?
Thanks!
VIBT
I am setup to just use a password to connect and another for enable. Will that make a difference?
Thanks!
VIBT
What is your logging level set at?
show logging
show logging
ASKER
Looks like "debugging"
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 9611 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 9611 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Trap logging: level informational, 9614 message lines logged
Logging to xxx.xxx.xxx.xxx, 9614 message lines logged, xml disabled,
filtering disabled
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 9611 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 9611 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Trap logging: level informational, 9614 message lines logged
Logging to xxx.xxx.xxx.xxx, 9614 message lines logged, xml disabled,
filtering disabled
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No. Right now I just have a line password and an enable secret. We are preparing to deploy Cisco ISE in the next couple of months to enable separate user aaa.
Is this why it is not logging anything for access attempts?
VIBT
Is this why it is not logging anything for access attempts?
VIBT
that could be, I noticed a couple of incidents where that solved the problem.
ASKER
I'm setting up a test switch now. I will try it and report back.
Thanks!
Thanks!
ASKER
Success!! It looks like I did have to be using a local user and not just a line password to get it to log connection attempts. Thanks!!!
2 Quick additional questions:
1. Is there a way to log "exist"s or disconnects?
2. I am seeing [Source: UNKNOWN] in the LOGIN_FAILED & LOGIN_SUCCESS messages (see "A" below). Is there a way to configure this to capture the originating IP? I see my IP address in the logs for configuring the switch (see "B" below).
A:
%SEC_LOGIN-4-LOGIN_FAILED:
B:
%SYS-5-CONFIG_I: Configured from console by vty0 (xxx.xxx.xxx.xxx)
Thanks!
VIBT
2 Quick additional questions:
1. Is there a way to log "exist"s or disconnects?
2. I am seeing [Source: UNKNOWN] in the LOGIN_FAILED & LOGIN_SUCCESS messages (see "A" below). Is there a way to configure this to capture the originating IP? I see my IP address in the logs for configuring the switch (see "B" below).
A:
%SEC_LOGIN-4-LOGIN_FAILED:
B:
%SYS-5-CONFIG_I: Configured from console by vty0 (xxx.xxx.xxx.xxx)
Thanks!
VIBT
ASKER
Thanks Ernie!
It is your choice, but you really do not use debugging mode for syslog if you plan to use that switch in production.
:)
:)
My pleasure :)
Ad A (and 2): Could be a bug in this specific IOS version. I came across a number of incidents with that. Let me see if I can find the bud ID.
Ad 1: Mmmm, not sure. I would need to look for that.
Ad A (and 2): Could be a bug in this specific IOS version. I came across a number of incidents with that. Let me see if I can find the bud ID.
Ad 1: Mmmm, not sure. I would need to look for that.
ASKER
I've successfully entered those commands. I tried connecting successfully and unsuccessfully - both several times. I still only see these entries for the last hour or so:
009607: Apr 14 09:09:55: %SYS-5-CONFIG_I: Configured from console by vty0 (xxx.xxx.xxx.xxx)
009608: Apr 14 09:10:09: %SYS-5-CONFIG_I: Configured from console by vty0 (xxx.xxx.xxx.xxx)
009609: Apr 14 09:34:50: %SYS-5-CONFIG_I: Configured from console by vty0 (xxx.xxx.xxx.xxx)
009610: Apr 14 10:13:44: %SYS-5-CONFIG_I: Configured from console by vty0 (xxx.xxx.xxx.xxx)
009611: Apr 14 10:15:34: %SYS-5-CONFIG_I: Configured from console by vty0 (xxx.xxx.xxx.xxx)
VIBT