<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.5512" name=GENERATOR>
<STYLE><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-AU vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=849432000-30082010><FONT face=Arial
size=2>Depending on IOS version there's also:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=849432000-30082010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=849432000-30082010><FONT face=Arial
size=2>login on-failure log</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=849432000-30082010><FONT face=Arial
size=2>login on-success log</FONT></SPAN></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=849432000-30082010><FONT face=Arial
size=2>Regards,</FONT></SPAN></DIV>
<DIV><SPAN class=849432000-30082010><FONT face=Arial
size=2>Brad</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> ausnog-bounces@lists.ausnog.net
[mailto:ausnog-bounces@lists.ausnog.net] <B>On Behalf Of </B>Nathan Le
Nevez<BR><B>Sent:</B> Friday, 27 August 2010 7:43 PM<BR><B>To:</B> Greg M;
ausnog@ausnog.net<BR><B>Subject:</B> Re: [AusNOG] Cisco Sysloging &
Auditing<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=WordSection1>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Some newer IOSs give you
commands like this:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">“security authentication failure
rate 3 log”<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">and will generate syslog events
such as<BR><BR><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">011690: Aug 27 19:40:51.381
AEST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: npl] [Source: X.X.X.X]
[localport: 22] at 19:40:51 AEST Fri Aug 27 2010<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Nathan<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0cm; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0cm; PADDING-BOTTOM: 0cm; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN lang=EN-US
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'; mso-fareast-language: EN-AU">From:</SPAN></B><SPAN
lang=EN-US
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'; mso-fareast-language: EN-AU">
ausnog-bounces@lists.ausnog.net [mailto:ausnog-bounces@lists.ausnog.net] <B>On
Behalf Of </B>Greg M<BR><B>Sent:</B> Friday, 27 August 2010 6:06
PM<BR><B>To:</B> ausnog@ausnog.net<BR><B>Subject:</B> [AusNOG] Cisco Sysloging
& Auditing<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Hi All,<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>I am in the process of implementing radius auth & syslog
(ing) across about 400 switches/routers in an organisation and have hit one
snitch.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>I’ve got radius auth + syslog happening fine, including cli
commands, eg:<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Aug 27 16:04:04 10.200.1.254 232: 000226: 3d14h:
%HA_EM-6-LOG: CLIaccounting: write<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>However, I am stumped on getting aaa logging sent to Syslog.
Basically, we want the syslog to tell us if someone logs in successfully/fails
and logs out etc.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Thanks for any help, especially given it’s a Friday arvo
<SPAN style="FONT-FAMILY: Wingdings">J</SPAN><o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Greg<o:p></o:p></P></DIV></BODY></HTML>