Logging authentication events from Cisco IOS

At ossec we have a long list of log formats to add support for the next version, and of them is the cisco IOS logs. Since it is such a common device, I decided to start working on that…

One of my surprises when looking at the IOS logs was a new (well, not really new, but I didn’t know about) feature introduced on the version 12.3 that allows full granularity for logging authentication events.

So, if you are interested to forward all failed and success login attempts from your IOS to a remote syslog server, you can just enable login logging:

login on-failure log login on-success log

If you enable that, you will get logs similar to those:

%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:dbc] [Source:] [localport:22] at 13:51:11 UTC Web Nov 11 2006
%SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:dbc] [Source:] [localport:22] [Reason:Invalid login] at 13:51:19 UTC Web Nov 11 2006

From now on, whenever you enable syslog on a cisco ios, don’t forget these commands.

Posted in   logging   cisco     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.