Cisco login on-failure using syslog doesn't show username on failure?

cisco logging syslog
17,743

Solution 1

This is a known bug: https://supportforums.cisco.com/thread/217502

I was able to reproduce it in my lab as well.

Solution 2

It has been known in the *nix and network community for a long time that logging usernames can sometimes divulge the password of an account.

For example: Someone types the username, and accidentally hits return twice. This will result in two login failures being logged, one for the username, and one for the password in the username field.

Share:
17,743

Related videos on Youtube

Jim
Author by

Jim

Updated on September 18, 2022

Comments

  • Jim
    Jim over 1 year

    interesting issue I am running into. I am trying to get syslog rmeote logging working with a Cisco switch. i have it working and logging for both on-success and on-failure. However when it is a failed login attempt it does not show the user name that tried to log in in the logs?

    Here is what the log looks like after a failed login:

     %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.0.
0.6] [localport: 23] [Reason: Login Authentication Failed]

    Here is what I ahve in the sh run:

    login block-for 60 attempts 3 within 60
login delay 1
login on-failure log
login on-success log

archive
 log config
  logging enable
  notify syslog contenttype plaintext

logging trap notifications
logging facility local4
logging 10.0.0.8


aaa new-model
aaa authentication login default local group tacacs+
aaa authorization config-commands
aaa authorization exec default local group tacacs+
    • Jim
      Jim over 11 years
      Yes both tacas and local, see edits.
    • Jim
      Jim over 11 years
      Doesn't show username in logs for either local or tacacs authentication.
    • jwbensley
      jwbensley over 11 years
      What about console access? Also is this via ssh or telnet? Have you tried the other?
    • Jim
      Jim over 11 years
      Telnet, no SSH on this firmware version. This is our current firmware bin c3750-ipbase-mz.122-50.SE5.bin
    • Mike Pennington
      Mike Pennington over 11 years
      You may want to flip the order of tacacs / local login... presumably that is a shared local username / password and if you don't make it a last resort login, it's likely to be abused when people want to hide their identity during changes.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Perl - Output the log files
How to modify syslog output format in busybox?
SyslogAppender not working
Sending UDP packets with `logger` command
Accidentally deleted /var/log/syslog
Where are Upstart log messages on Ubuntu 13.X?
How can I receive syslog logs from a networked system?
Difference between /var/log/messages, /var/log/syslog, and /var/log/kern.log?
How to disable syslog messaging to /var/log/syslog
How to append %fromhost-ip% variable to every log line in rsyslog for remote host logs?