My ex-colleagues at Counterpane discovered several years that support for logging information about logins was pretty weak in Cisco IOS -- basically, your choices were to use an external authentication server and let it do the accounting, or you could run telnet in debug mode and swamp your router with traffic. This gave me lots of wonderful fodder for my log analysis tutorial. Well, drat them anyhow ;-) Cisco's gone and created an enhanced logging module within IOS that gives you much more useful information about local auth attempts, and doesn't require debug levels! Go Cisco! The feature was introduced in 12.3.(4)T, and integrated into IOS release 12.2(25)S. The doc is on line at http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_login.htm The module seems to be primariliy designed to protect against brute force password attacks and DoS, but does enable logging of both failed and successful logins: System Logging Messages for Successful and Failed Login Requests The following logging message is generated upon a successful login request: 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:test] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2003 The following logging message is generated upon a failed login request: 00:03:34:%SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:sdfs] [Source:10.4.2.11] [localport:23] [Reason:Invalid login] at 20:54:42 UTC Fri Feb 28 2003----->and< the doc includes sample messages. Go figure.I have no idea when this actually became available -- maybe it's common news to folks, but I'll be updating my tutorial notes and the Cisco doc on www.loganalysis.org.Thanks, d00dz at Cisco!tbird _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sun Oct 03 2004 - 18:25:43 PDT