{"id":357,"date":"2006-11-13T04:34:00","date_gmt":"2006-11-13T04:34:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=357"},"modified":"2020-07-03T04:34:54","modified_gmt":"2020-07-03T04:34:54","slug":"logging-authentication-events-from-ios","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2006\/11\/logging-authentication-events-from-ios\/","title":{"rendered":"Logging authentication events from IOS"},"content":{"rendered":"\n<p>At&nbsp;<a href=\"http:\/\/www.ossec.net\/\">ossec<\/a>&nbsp;we have a long list of log formats to add support for the next version, and of them is the cisco&nbsp;<a href=\"http:\/\/www.cisco.com\/univercd\/cc\/td\/doc\/product\/software\/ios124\/124sup\/124sms\/index.htm\">IOS logs<\/a>. Since it is such a common device, I decided to start working on that\u2026<\/p>\n\n\n\n<p>One of my surprises when looking at the IOS logs was a&nbsp;<em>new<\/em>&nbsp;(well, not really new, but I didn\u2019t know about) feature introduced on the version 12.3 that allows full granularity for logging authentication events. So, if you are interested to forward all failed and success login attempts from your IOS to a remote syslog server, you can just&nbsp;<a href=\"http:\/\/www.cisco.com\/univercd\/cc\/td\/doc\/product\/software\/ios123\/123newft\/123t\/123t_4\/gt_login.htm\">enable<\/a>&nbsp;<a href=\"http:\/\/www.cisco.com\/univercd\/cc\/td\/doc\/product\/software\/ios124\/124cr\/hsec_r\/sec_k1h.htm#wp1180994\">login logging<\/a>:<\/p>\n\n\n\n<p><em>login on-failure log<br>login on-success log<\/em><\/p>\n\n\n\n<p>If you enable that, you will get logs similar to those:<\/p>\n\n\n\n<p><em>%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:dbc] [Source:1.2.3.4] [localport:22] at 13:51:11 UTC Web Nov 11 2006<br>%SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:dbc] [Source:1.2.3.4] [localport:22] [Reason:Invalid login] at 13:51:19 UTC Web Nov 11 2006<\/em><\/p>\n\n\n\n<p>From now on, whenever you&nbsp;<a href=\"http:\/\/www.cisco.com\/univercd\/cc\/td\/doc\/product\/software\/ios121\/121sup\/121debug\/dbdintro.htm#1017289\">enable syslog<\/a>&nbsp;on a cisco ios, don\u2019t forget these commands.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At&nbsp;ossec&nbsp;we have a long list of log formats to add support for the next version, and of them is the cisco&nbsp;IOS logs. Since it is such a common device, I decided to start working on that\u2026 One of my surprises when looking at the IOS logs was a&nbsp;new&nbsp;(well, not really new, but I didn\u2019t know [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[14],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/357"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=357"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/357\/revisions"}],"predecessor-version":[{"id":358,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/357\/revisions\/358"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}