Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

10451 Views 4 Replies Latest reply: Apr 19, 2010 5:55 PM by Gods Son RSS

Currently Being Moderated

how do you monitor user login history in a router/switch

Apr 19, 2010 11:33 AM

Gods Son 21 posts since
Nov 21, 2008

Is there a way to monitor who logs into a local router? I know

show users and show line both give you similar detail however it does not show you the previous history of who logged in to the router. It just shows the currently logged in uses and how many times the line has been logged into.

 

How can I check the history – say time a user last logged into the router and who the user is? Thanks

  • CCBOOTCAMP - CCIE 228 posts since
    Sep 11, 2008

    Have you considered using a TACACS server? That would give you the information you're looking for.

     

    Brad Ellis

    CCIE#5796

    www.ccbootcamp.com

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009

     

    Good day-

     

    We could use Embedded Event Manager for this locally on the router.  This will keep in its log file, everyone who goes into privileged mode, what IP address they came in from, their username (if they authenticated with a username), and the time they went into privileged mode.

     

    I labbed up a full example for you.   No external devices required.  Just the local router.  There are several options for this, so feel free to modify them to your liking.  Also make sure that the IOS in use supports EEM.

     

    The  documentation roadmap for EEM is here:  http://www.cisco.com/en/US/partner/docs/ios/netmgmt/configuration/guide/netmgmt_eem_roadmap.html

     

     

    I used the following gear:

     

    R5#show ver

    Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(24)T

     

     

    Using the EEM applet below, whenever anyone types in enable, it adds a syslog message including the user name, their IP address, and the time.  You may want to include requiring authentication on the console, if you want to force users to submit a username when connecting.

     

     

    I cleared the log, then configured as follows:

     

    clear log

     

    conf t

    logging buffered 7

    username bob password cisco

     

    event manager applet test2

    event cli pattern "enable" sync no skip no

    action 1 cli command "enable"

    action 2 cli command "show clock"

    action 3 syslog msg "$_cli_result"

    action 4 cli command "who"

    action 5 syslog msg "$_cli_result"

     

    line vty 0 4

    login local

     

    end

     

    telnet 150.1.5.5

     

     

    R5#telnet 150.1.5.5

    Trying 150.1.5.5 ... Open

     

     

    User Access Verification

     

    Username: bob

    Password: cisco

    R5>enable

    Password: cisco (configured earlier as the enable secret)

    R5#show log

    Syslog logging: enabled (0 messages dropped, 3 messages rate-limited,

                    0 flushes, 0 overruns, xml disabled, filtering disabled)

     

    <snip the boring stuff>

     

    %HA_EM-6-LOG: test2:

    17:31:23.850 UTC Mon Apr 19 2010

    R5#

    %HA_EM-6-LOG: test2:

        Line       User       Host(s)              Idle       Location

       0 con 0                150.1.5.5            00:00:00

    194 vty 0     bob        idle                 00:00:00 150.1.5.5

    *195 vty 1                idle                 00:00:00 EEM:test2

     

      Interface    User               Mode         Idle     Peer Address

     

    <this is the end of the syslog>


     

    Cool isn't it?

     

    For some tutorials on EEM, you may go here:

     

    http://blog.ine.com/2009/12/17/embedded-event-manager-not-just-for-breakfast/

     

     

    Best wishes,

     

    Keith

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)