At ossec we have a long list of log formats to add support for the next version, and of them is the cisco IOS logs. Since it is such a common device, I decided to start working on that…
One of my surprises when looking at the IOS logs was a new (well, not really new, but I didn’t know about) feature introduced on the version 12.3 that allows full granularity for logging authentication events.
So, if you are interested to forward all failed and success login attempts from your IOS to a remote syslog server, you can just enable login logging:
login on-failure log
login on-success log
If you enable that, you will get logs similar to those:
%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:dbc] [Source:220.127.116.11] [localport:22] at 13:51:11 UTC Web Nov 11 2006
%SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:dbc] [Source:18.104.22.168] [localport:22] [Reason:Invalid login] at 13:51:19 UTC Web Nov 11 2006
From now on, whenever you enable syslog on a cisco ios, don’t forget these commands.