How to display system security events logs in Cisco router 4980
Hi,
in order to perform acceptance tests following the installation of a Cisco 4980 router cluster, I need to verify that any system security events are logged and I can diplay them on the CLI output (for example with the #show logging command).
By system security events logs, I mean for example bad authentification on the switch, creation/deletion/modification of a user accoount, telnet connexion attempt while this protocol is not allowed, etc...
With the #show logging command, I have security events related to access-list, or configuration changes (even if these ones are not really verbose on waht have been changed), but no "system" security events.
Here is my logging initial logging configuration on these routers:
logging rate-limit 1 except errors
logging console critical
logging monitor critical
But I also tried like this:
logging rate-limit 1 except errors
logging console informational
logging monitor critical
logging history informational
logging facility auth
But exactly the same result...
Is this feature exist or not ?
If yes, how to configure it ?
Thanks.
Julien
Here is a script that will copy the previous days events and save them to "C:\". The file name be yesterdays date ex "04-18-2010-Events.csv"
Const strComputer = "."
Dim objFSO, objWMIService, colEvents, objEvent, outFile
Dim dtmStartDate, dtmEndDate, DateToCheck, fileDate
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
'change the date form "/" to "-" so it can be used in the file name
fileDate = Replace(Date - 1,"/","-")
Set outFile = objFSO.CreateTextFile("C:\" & fileDate & "-Events.csv",True)
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
outFile.WriteLine String(100,"-")
outFile.WriteLine "Category = " & objEvent.Category
outFile.WriteLine "ComputerName = " & objEvent.ComputerName
outFile.WriteLine "EventCode = " & objEvent.EventCode
outFile.WriteLine "Message = " & objEvent.Message
outFile.WriteLine "RecordNumber = " & objEvent.RecordNumber
outFile.WriteLine "SourceName = " & objEvent.SourceName
outFile.WriteLine "TimeWritten = " & objEvent.TimeWritten
outFile.WriteLine "Type = " & objEvent.Type
outFile.WriteLine "User = " & objEvent.User
outFile.WriteLine String(100,"-")
Next
outFile.Close
MsgBox "Finished!"
v/r LikeToCode....Mark the best replies as answers.
Similar Messages
-
CISCO top 10 security events / logs for cisco aironet 3500? lan controller 5500
As a sec analyst I'm tasked to monitor my Wireless enviroment which compromises of following components
We are using cisco aironet 3500 series .
Lan controller 5500
MSE 3300 series
WCS v 5.0
Is there a top 10 sec events that i should be looking at? is there a thing like cisco top 10 sec events ? or do i have to follow external resource like SANS for this. I'm sure here are guys who have worked in this enviroment and probably can advise me the events I' should be concerned at?Reference:
Cisco Wireless LAN Controller System Message Guide
http://www.cisco.com/en/US/docs/wireless/controller/7.4/message/guide/sysmsg74.html
http://www.cisco.com/en/US/docs/wireless/controller/message/guide/controller_smg.html -
How can I turn off Event ID 5156 AND 5145 in the Security Event Log?
Hi,
I have a high volume web service. Everytime there is a connection from the outside, it logs this in my security event log.
I want to turn this off.
How can I stop the logging of event id 5156 on the web server and 5145 on the file server?
Thanks!
Dane!Hi,
Thanks for posting in Microsoft TechNet forums.
The problem can be related to Audit settings. Please check the following threads to see if the information can be useful during the troubleshooting:
auditing file share on windows 2008 R2
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9e633bad-cda6-4ec4-8f04-c01de57ce767
Event ID 5156 filling up event logs. Probably due to anti-virus software (SEP 11)
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/8044fb62-f5ea-45b5-b717-3f6592af77e0
Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback
on our support quality, please send your feedback here. -
Windows Server 2008 R2 Security Event Log Maximum Size
I have a customer with logging requirements on domain controllers that are exceeding the maximum log size they have configured for the security log. When they attempted to increase the maximum size of the security event log via Group Policy, the settings
did not take effect. When an attempt was made to increase the security event log manually on the domain controller via the properties of the log, an error is generated whenever the value was changed.
The Maximum Log Size specified is not valid. It is too large or too small. The Maximum Log Size will be set to the following: 196608 KB
The 196608 KB value is the value that it is currently set at. Testing on other logs, application, system, has lead to the same result.
wevtutil.exe sl security /ms:<n> produces similar results. There is no error message given but the value doesn't change when you run wevtutil.exe gl security
When viewing the registry value MaxSize under HKLM\Current Control Set\Services\EventLog\Security the change is reflected, but the log does not seem to get any larger.
What one would expect to be a two minute change in a group policy object has turned into something much more difficult. Any idea what could be causing this?
Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise AdministratorI verified that it was not another policy - the domain is pretty simple without many policies, only policies applied are:
Default Domain Policy (no event log settings)
Company Domain Policy (no event log settings)
Default Domain Controller Policy (no event logs settings)
Company Domain Controller Policy (...\Event Log\Maximum security log size 4194240 kilobytes)
The value was 196608 before, the plan was to change the group policy setting to 4194240 and I expected it to be that easy. However, the values didn't change.
4194240 is divisible by 64
Used multiple tools to try and change
Group Policy
Event Viewer
wevtutil.exe
registry editor
While some of the methods display a larger event log, the actual size of the event log still seems to be limited to 196608 kb.
Thanks,
Joe
Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator -
Display system security file fragmentation_percent
Hi - I'm trying to run the MAXL command to display how fragmented my security file is but in the log, I keep getting this error message about 'Syntax error near security'. I am on Essbase 7.0
OK/INFO - 1051034 - Logging in user planning.
OK/INFO - 1051035 - Last login on Monday, March 01, 2010 11:59:39 AM.
OK/INFO - 1241001 - Logged in to Essbase.
MAXL> display system security file fragmentation_percent;
ERROR - 1242021 - (1) Syntax error near ['security'].
MAXL> alter application 'UAT2NYPF' enable connects;
OK/INFO - 1056013 - Application UAT2NYPF altered.
MAXL> logout;
User planning is logged out
MaxL Shell completedIs there anything that can be done, in terms of maintenance, for the security file for Essbase 7.0?
Over the weekend, our server guys rebooted the Essbase server, essbase service never came up this morning. I launched essbase in the command prompt and it gave me an error message about bad security file.
I replaced the security file from a backup, but if these corruptions can be avoided by doing maintenance on the security file, then I am looking for some ways to automate that maintenance process on a bi weekly basis.
Thanks
Edited by: CLAU on Mar 1, 2010 9:56 AM
Edited by: CLAU on Mar 1, 2010 10:10 AM -
Data Access Service is unable to log audit events to the security event log
Hi,
Scenario: SCOM 2012 R2 UR4. (Windows 2012 R2)
Today SCOM have generated 4 alerts Data Access Service is unable to log audit events to the security event log.
The service account for "System Center Data Access Service" service is "Local System".
The users at "Generate security audits" are: LOCAL SERVICE and NETWORK SERVICE.
The question is:
how to resolve this alert? (Where look for to obtain more information to resolve this problem)
Thanks in advance!Local system account is differet to local service account. Fo detail description of these accounts, pls. refer
LocalService Account
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684188(v=vs.85).aspx
LocalSystem Account
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
Generate security audits which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment of Group policy, determines which accounts can be used by a process to add entries to the security log. This user right
is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.
For identified the SDK account
1) open services.msc
2) From the system Center Data Access Service, you can see the SDK logon on as account
Roger -
I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation SuccessHi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Hi,
We are receiving several eventids '26007' from the OpsMgr log on our Domain Controllers, also eventids '26008' with similar description are logged
The EventLog service reported that the Security event log on computer '<Domain Controller Computer>' is corrupt. The Windows Event Log Provider will attempt to recover by re-opening log.
I'll appreciate any suggestion in order to solve this issue.
Regards.I guess this issue is caused by event ID 4661 is corrupted in security event log.
Please check if you have many 4661 events in security event log and XML view cannot be viewed.
Running the below command on DC will disable the auditing of the SAM Object access. This should stop the Event ID 4661 from being logged which should stop the Alert regarding corrupt Event log:
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
Regards, -
Need Help to extract information from Windows Security Event log
Hi Everyone,
My challenge is to create a script that queries the Security event log for event id 4624 , logon type 2 and 10, then export the result to file, hopefully tab limited.
I need the time - date - User Account - Workstation - IP address - Logon Type.
I have had a go, checking out other advice from other questions, but i'm just not getting what I want.
Kind regards,
AndrewA good point to start is get-eventlog with where clauses.
For example:
get-eventlog -log security | where {$_.eventID -eq 4624}
So you want to get the entire security log, and then filter it client side? (Some of these logs can be massive).
I would recommend Get-WinEvent with -FilterHashTable (Filter on the left) which will filter against the log directly.
http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/24/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing.aspx
You might have admin rights issues accessing the security logs.
You're right - my answer was only a first step to try "get-command *event" and eventually get-help..... -
Account locked out events are not getting in active directory security event logs
Account locked out events are not getting in active directory security event logs for some users. I can see that the user is locked and when i tried to find out the event in sec log at DC but couldnt able to find. It is only happening for some users.
not for the all users.In addition.
Check the ADDS Audit.
Active Directory Services Audit - Document references
Regards~Biswajit
Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
MY BLOG
Domain Controllers inventory-Quest Powershell
Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
Generate a Report for installed Hotfix for Bulk Servers -
How to write to windows event logs from determinations-server under IIS
This is just an FYI technical bit of information I wish someone had shared with me before I started trying to write OPA errors to the windows event log... Most problems writing to the windows event log from log4net occur because of permissions. Some problems are because determinations-server does not have permissions to create some registry entries. Some problems cannot be resolved unless specific registry entry permissions are actually changed. We had very little consistency with the needed changes across our servers, but some combination of the following would always get the logging to the windows event log working.
To see log4net errors as log4net attempts to utilize the windows event log, temporarily add the following to the web.config:
<appSettings>
<!-- uncomment the following line to send diagnostic messages about the log configuration file to the debug trace.
Debug trace can be seen when attached to IIS in a debugger, or it can be redirected to a file, see
http://logging.apache.org/log4net/release/faq.html in the section "How do I enable log4net internal debugging?" -->
<add key="log4net.Internal.Debug" value="true"/>
</appSettings>
<system.diagnostics>
<trace autoflush="true">
<listeners>
<add
name="textWriterTraceListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="logs/InfoDSLog.txt" />
</listeners>
</trace>
</system.diagnostics>
To add an appender for the windows event viewer, try the following in the log4net.xml:
<appender name="EventLogAppender" type="log4net.Appender.EventLogAppender" >
<param name="ApplicationName" value="OPA" />
<param name="LogName" value="OPA" />
<param name="Threshold" value="all" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
<filter type="log4net.Filter.LevelRangeFilter">
<levelMin value="WARN" />
<levelMax value="FATAL" />
</filter>
</appender>
<root>
<level value="warn"/>
<appender-ref ref="EventLogAppender"/>
</root>
To put the OPA logs under the Application Event Log group, try this:
Create an event source under the Application event log in Registry Editor. To do this, follow these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
4. Right-click the Application subkey, point to New, and then click Key.
5. Type OPA for the key name.
6. Close Registry Editor.
To put the OPA logs under a custom OPA Event Log group (as in the demo appender above), try this:
Create an event log in Registry Editor. To do this, follow these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4. Right-click the eventlog subkey, point to New, and then click Key.
5. Type OPA for the key name.
6. Right-click the new OPA key and add a new DWORD called "MaxSize" and set it to "1400000" which is about 20 Meg in order to keep the log file from getting too large.
7. The next steps either help or sometimes cause an error, but you can try these next few steps... If you get an error about a source already existing, then you can delete the key.
8. Right-click the OPA subkey, point to New, and then click Key.
9. Type OPA for the key name.
10. Close Registry Editor.
You might need to change permissions so OPA can write to the event log in Registry Editor. If you get permission errors, try following these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4. Right-click the EventLog key, select Permissions.
5. In the dialog that pops up, click Add...
6. Click Advanced...
7. Click Locations... and select the current machine by name.
8. Click Find Now
9. Select both the Network user and IIS_IUSERS user and click OK and OK again. (We never did figure out which of those two users was the one that fixed our permission problem.)
10. Change the Network user to have Full Control
11. Click Apply and OK
To verify OPA Logging to the windows event logs from Determinations-Server:
Go to the IIS determinations-server application within Server Manager.
Under Manage Application -> Browse Application click the http link to pull up the local "Available Services" web page that show the wsdl endpoints.
Select the /determinations-server/server/soap.asmx?wsdl link
Go to the URL and remove the "?wsdl" from the end of the url and refresh. This will throw the following error into the logs:
ERROR Oracle.Determinations.Server.DSServlet [(null)] - Invalid get request: /determinations-server/server/soap.asmx
That error should show up in the windows event log, OR you can get a message explaining why security stopped you in "logs/InfoDSLog.txt" if you used the web.config settings from above.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
Edited by: Paul Fowler on Feb 21, 2013 9:45 AMThanks for sharing this information Paul.
-
in sql we use sysdate in dual to display the system date like wise how to display the system time since i am a beginner i need ur help please.
In Oracle Date Data Type save time information, all you need to do is using to_char function or NLS_DATE_FORMAT to display it,
SELECT TO_CHAR(sysdate, 'DD-MON-YYYY HH24:MI:SS') FROM DUAL;
or
alter session set NLS_DATE_FORMAT='DD-MON-YYYY HH24:MI:SS';
select sysdate from dual; -
How to display system property in XML forms
Hi
We are using XML forms template for publishing news in KM. In the show form we got author field (a label in the form) which is mapped to system property createdby (PropertyReference = /Properties/default:createdby).But while displaying the form author is not getting populated. When I try to edit the form in XML forms builder in data model tab under properties node no property is visible. Nothing is shown up in properties even after reload option is selected from context menu of properties node.
I cheked by manually editing PropertyReference to some other property (e.g. modifiedby) but nothing is showing up.
Can you please suggest how the createdby system property can be shown in the xml form?
Thanks & Regards
SudipHi Sudeep,
Please try to open the formbuilder in another machine and try to see the properties xml form design view.
You can even directly can create a lable in show form and add the property name along with the nama space name.
For default properties namspace is default.Create a lable UI element in show form and select the datasource property and add the property value in that.
With we can show file related system generated properties in show form.
Regards,
Rudradev Devulapelli -
How to display system date by default
Hi,
Please tell me how to display the default date as system date in a text box, and it should also allow me to select the date from the calendar and update.
i tried to give'select sysdate from dual' but it dint work.
Please help me..
Regards,
PallaviI'm not sure what you mean.
sysdate retrieves the current date when the script is executed (eg. when you run the report).
Do you mean that after you change the date value in the report and submit the page, it changes back to sysdate, instead of the date you selected?
This would be caused by an incorrect setting in the "Source Used" field.
eg. use "Only when current value in session state is null"
instead of "Always, replacing any existing value in the session state" -
I want to display system date in portal pages. Is there any template subsitution tags or any easy way of displaying date.
Without using 'javascript'
Thanks
ManjithYou could put something like the following into a PLSQL item or a Dynamic Page portlet (between <ORACLE></ORACLE> tags) - change the date formatting and add any html/css that you need to display the date the way you want:
DECLARE
todaysdate VARCHAR2(12);
BEGIN
select TO_CHAR(SYSDATE,'MON DD, YYYY') INTO todaysdate FROM DUAL;
htp.print(todaysdate);
END;Note: this code could probably be simplified a bit, I just pulled this snippet out of something I use that does more than just display the sysdate.
Maybe you are looking for
-
Web Gallery - Slideshow(s)
I have created my first web gallery - These are my issues when viewing the gallery on internet: 1. If you double click the first photo you see a rather small pic and a description of what the subject is about (hitting i [info] can give you the furthe
-
Making a node in JTree non expandable
How do I make a node in a JTree non expandable. The nodes in the tree are DefaultMutableTreeNode. I have a tree with root R. It has children ch1, ch2, ch3. Nodes ch1 etc also have X number of children. What I want is if I click (either double click o
-
No Windows for conflict resolution in Isync
Hello, After a synchro with iSync, I see conflicts. When I try to resolve them. The resolve conflit app is launched but i have no windows. To be clear I have not the possibility to resolve conflict because the windows apps do not appears. But I have
-
How to set up web root on mac os 10 cf 7 install?
I've finally gotten ColdFusion 7 up and running with Jrun 4 on a Mac running 10.4. Now I have a silly problem. Going to http://localhost:8080 doesn't show a web site. Neither does http://localhost/. I know I'm supposed to define the web root, but how
-
Connecting and showing video image with activeX
Hello, I''m currently working on a student project. The project revolves around connecting an ip camera in LabView. I have recieved a SDK from the company that deliver the camera. There are several activeX methods in this package. The camera require