Logging login events

Discussion in 'Cisco' started by scardinal@yahoo.com, Jun 24, 2005.

  1. Guest

    I have a PIX 515 running 6.3(3) and sending events to a remote syslog
    server. I am trying to setup a log monitor (SEC) on my syslog host and
    would like to watch the PIX entries for login attempts and any time a
    configuration is changed (using write memory). However, no matter what
    level I set my logging trap to, I don't see any events for those cases
    in my syslog stream. I saw some sample configs for SEC that watch for
    those events, so that suggests that it should be do-able, but I just
    can't find out how.

    Any ideas?

    Thanks in advance
    Steve
    , Jun 24, 2005
    #1
    1. Advertising

  2. Guest

    logging on
    logging timestamp
    logging trap debugging
    logging history errors
    logging queue 0
    logging host inside 10.42.52.15
    logging host inside 10.76.0.250

    works for me, of course you have to have the syslog server setup to
    receive,
    but it sounds like you have that part

    regards,
    -charlie

    wrote:
    > I have a PIX 515 running 6.3(3) and sending events to a remote syslog
    > server. I am trying to setup a log monitor (SEC) on my syslog host and
    > would like to watch the PIX entries for login attempts and any time a
    > configuration is changed (using write memory). However, no matter what
    > level I set my logging trap to, I don't see any events for those cases
    > in my syslog stream. I saw some sample configs for SEC that watch for
    > those events, so that suggests that it should be do-able, but I just
    > can't find out how.
    >
    > Any ideas?
    >
    > Thanks in advance
    > Steve
    , Jun 24, 2005
    #2
    1. Advertising

  3. Guest

    Thanks charlie,

    Turns out that my issue was that I wasn't running my logging trap in
    debug level. Unfortunately, I really don't want to run a production
    system in debug just to get login details. Bummer - hopefully cisco
    will recognize that login tracking is more important for things than
    just debugging and change that in the future.

    Cheers.
    Steve
    , Jun 27, 2005
    #3
  4. In article <>,
    <> wrote:
    :Turns out that my issue was that I wasn't running my logging trap in
    :debug level. Unfortunately, I really don't want to run a production
    :system in debug just to get login details. Bummer - hopefully cisco
    :will recognize that login tracking is more important for things than
    :just debugging and change that in the future.

    Note the newish 'level' keyword:

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1028090
    --
    Beware of bugs in the above code; I have only proved it correct,
    not tried it. -- Donald Knuth
    Walter Roberson, Jun 27, 2005
    #4
  5. Hi Steve,

    You might want to look into setting up AAA on your PIX. Using RADIUS
    (or TACACS if you're inclined) and AAA Authorization you can get login
    attempts and even track each command entered. There are quite a few
    freeware RADIUS suites available or you could try TAC+ (freeware TACACS).

    TACACS vs. RADIUS:
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

    Old but still good document on AAA and PIX:
    http://www.cisco.com/en/US/products...s_configuration_example09186a0080094188.shtml

    Cheers,
    Spencer Teran

    wrote:
    > Thanks charlie,
    >
    > Turns out that my issue was that I wasn't running my logging trap in
    > debug level. Unfortunately, I really don't want to run a production
    > system in debug just to get login details. Bummer - hopefully cisco
    > will recognize that login tracking is more important for things than
    > just debugging and change that in the future.
    >
    > Cheers.
    > Steve
    >
    Spencer Teran, Jun 27, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    532
  2. Fred Atkinson

    Logging DHCP Events

    Fred Atkinson, Mar 4, 2007, in forum: Cisco
    Replies:
    0
    Views:
    429
    Fred Atkinson
    Mar 4, 2007
  3. Replies:
    0
    Views:
    588
  4. Thrill5

    Re: Logging Events and Debugs

    Thrill5, Feb 25, 2009, in forum: Cisco
    Replies:
    0
    Views:
    374
    Thrill5
    Feb 25, 2009
  5. Markus Sonnenberg

    Re: Logging Events and Debugs

    Markus Sonnenberg, Feb 26, 2009, in forum: Cisco
    Replies:
    0
    Views:
    395
    Markus Sonnenberg
    Feb 26, 2009
Loading...

Share This Page