[logs] Cisco introduces login logging enhancement

From: Tina Bird (tbird@precision-guesswork.com)
Date: Sun Oct 03 2004 - 18:15:05 PDT

My ex-colleagues at Counterpane discovered several years that support for
logging information about logins was pretty weak in Cisco IOS -- basically,
your choices were to use an external authentication server and let it do the
accounting, or you could run telnet in debug mode and swamp your router with
traffic.  This gave me lots of wonderful fodder for my log analysis
tutorial.  Well, drat them anyhow ;-) Cisco's gone and created an enhanced
logging module within IOS that gives you much more useful information about
local auth attempts, and doesn't require debug levels!  Go Cisco!  The
feature was introduced in 12.3.(4)T, and integrated into IOS release

The doc is on line at


The module seems to be primariliy designed to protect against brute force
password attacks and DoS, but does enable logging of both failed and
successful logins:
System Logging Messages for Successful and Failed Login Requests

The following logging message is generated upon a successful login request:

00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:test]
[localport:23] at 20:55:40 UTC Fri Feb 28 2003
The following logging message is generated upon a failed login request:
00:03:34:%SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:sdfs]
[localport:23] [Reason:Invalid login] at 20:54:42 UTC Fri Feb 28
2003----->and< the doc includes sample messages.  Go figure.I have no idea
when this actually became available -- maybe it's common news to folks, but
I'll be updating my tutorial notes and the Cisco doc on
www.loganalysis.org.Thanks, d00dz at Cisco!tbird

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Sun Oct 03 2004 - 18:25:43 PDT