Cisco Device - User login alert

I am trying to setup an alert based on specif user login.  Exam. If user "A" failed or successfully login to specific Cisco device, I would like to be alert on it. If you know how to do this please let me.

Thank you in advance for your help

  • Hi,

    Depending on your device, the following should work:

    login on-failure log

    login on-success log

    This will produce the following syslog messages:

    Jun 17 21:25:29.478 MDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.1.0.23] [localport: 22] at 21:25:29 MDT Mon Jun 17 2013

    Jun 17 21:26:03.178 MDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: testuser] [Source: 10.1.0.23] [localport: 22] [Reason: Login Authentication Failed] at 21:26:03 MDT Mon Jun 17 2013

    Once you have the syslog messages, you should be able to create an alert to send notifications.

  • Thank you branfarm for your reply. You are correct on your suggestion, Yet I decided to take it one step further as I got it to work and I want to make it is easier for anyone to do this.

    NOTE: These steps were done on a Cisco Catalyst 2960 switch (it should work on any Cisco IOS device)

    NOTE: This configuration is done for NPM product not NCM. Sorry, but I couldn't figured out how to re-categorized this post.

    STEP 1: Enter the following settings on the Cisco device.

    Conf t

    logging {solarwinds IP}

    logging on

    login on-failure log

    login on-success log

    logging file flash:syslogSolarwinds  ### Not necessary, but it's a good practice to write your syslog to file in case the switch reboots.

    service sequence-numbers           ### Not necessary, but it's a good practice in to have your syslog messages in a sequence

    logg trap 5

    logging history 4

    archive                                        ### Not necessary, but it's a good practice.
       log config
       logging enable
       notify syslog
       hidekeys

    STEP 2: Enter these settings on your Solarwinds server

    launch "Syslog Viewer"

    syslog 1.JPG

    Enter the IP address of the device you previously configure on the "Source IP Adress" field. This will allow you to see only the syslogs from that device. If you don't see any logs go back to STEP 1.

    syslog 2.JPG

    Go to "Syslog Server Settings" click on the "Alert/Filter" tab and "add a new rule"

    syslog 3.JPG

    Modify the following tabs:

    General tab: enter the IP address of the device that you want to receive alert form.

    syslog 4.JPG

    Message tab: enter these patterns on the "Syslog Message Pattern field"

    syslog 5.JPG

    Severity/Facility tab: select theses options only

    syslog 6.JPG

    Alert Actions tab: enter your email address and make sure you enter the SMTP server settings otherwise you won't get an email alert

    syslog 7.JPG

    Test your setting by login into the switch you previously configured. You should receive a real-time email alert based on the rules you configured.

    syslog 8.JPG

    I hope this is beneficial to anyone trying to get this results.