I am trying to setup an alert based on specif user login. Exam. If user "A" failed or successfully login to specific Cisco device, I would like to be alert on it. If you know how to do this please let me.
Thank you in advance for your help
Hi,
Depending on your device, the following should work:
login on-failure log
login on-success log
This will produce the following syslog messages:
Jun 17 21:25:29.478 MDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.1.0.23] [localport: 22] at 21:25:29 MDT Mon Jun 17 2013
Jun 17 21:26:03.178 MDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: testuser] [Source: 10.1.0.23] [localport: 22] [Reason: Login Authentication Failed] at 21:26:03 MDT Mon Jun 17 2013
Once you have the syslog messages, you should be able to create an alert to send notifications.
Thank you branfarm for your reply. You are correct on your suggestion, Yet I decided to take it one step further as I got it to work and I want to make it is easier for anyone to do this.
NOTE: These steps were done on a Cisco Catalyst 2960 switch (it should work on any Cisco IOS device)
NOTE: This configuration is done for NPM product not NCM. Sorry, but I couldn't figured out how to re-categorized this post.
STEP 1: Enter the following settings on the Cisco device.
Conf t
logging {solarwinds IP}
logging on
login on-failure log
login on-success log
logging file flash:syslogSolarwinds ### Not necessary, but it's a good practice to write your syslog to file in case the switch reboots.
service sequence-numbers ### Not necessary, but it's a good practice in to have your syslog messages in a sequence
logg trap 5
logging history 4
archive ### Not necessary, but it's a good practice.
log config
logging enable
notify syslog
hidekeys
STEP 2: Enter these settings on your Solarwinds server
launch "Syslog Viewer"
Enter the IP address of the device you previously configure on the "Source IP Adress" field. This will allow you to see only the syslogs from that device. If you don't see any logs go back to STEP 1.
Go to "Syslog Server Settings" click on the "Alert/Filter" tab and "add a new rule"
Modify the following tabs:
General tab: enter the IP address of the device that you want to receive alert form.
Message tab: enter these patterns on the "Syslog Message Pattern field"
Severity/Facility tab: select theses options only
Alert Actions tab: enter your email address and make sure you enter the SMTP server settings otherwise you won't get an email alert
Test your setting by login into the switch you previously configured. You should receive a real-time email alert based on the rules you configured.
I hope this is beneficial to anyone trying to get this results.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.