Syslog messages in AAA

I have an issue with a switch's syslog messages showing up in the failed authentication attempts report in the AAA.
If anyone has any thoughts, let me know!!
CHRIS

Do you perhaps have this switch console connected on a terminal server, and if so, does the terminal server have "no exec" configured on the lines used for reverse telnet?
I have seen symptoms similar to what you describe in a situation where I had a switch whose console port was connected to a terminal server and the terminal server lines did not have no exec. It looks like there was some activity on the switch which the terminal server presented a login prompt. The next text displayed on the switch was interpreted by the terminal server as the login id and was logged in the failed attempts log.
HTH
Rick

Similar Messages

  • After WCS v4.1.91.0 upgrade: Strange SYSLOG message

    Hi
    After upgrading WCS to v 4.1.91.0 and Controller 4400 to v.1.185 I get these SYSLOG message:
    Emergency <DATE> 1x_ptsm.c:419 DOT1X-1-MAXEAP_RETRANS_FOR_MOBILE: MAX EAP retransmissions reached for mobile <MAC>
    Critical <DATE> iapp_socket_task.c:580 IAPP-3-MSGTAG015: iappSocketTask: iappRecvPkt returned error
    Can?t find any info on cisco.com or any release notes. Anybody know what it means and what I can/should do?
    TIA
    Peter

    Actually, Maximum EAP Retransmissions message indicates that EAPOL key retransmission to client has failed. Increase the no of error count for failure. But to further trace down the issue, we need a complete syslog output to which this MAX EAP retransmission message is associated with.
    Check whether AAA server is UP and running(if external RADIUS server is used). What EAP authentication type you are using?. Let me know these details.

  • ACS appliance1120 ACS 4.2.1.15 syslog message to syslog server

    Hi All ,
             I am using ACS 1120 appliance running ACS version 4.2.1.15 , I am pointing out all syslog message to my external syslog server (passed authentication , failed authentication , database replication , administration aduit ,tacacs accounting )  , but i could recieve only passed authentication log message to my external log server , no other log message except passed authentication is pushed to my external log server , But i could see failed attempts , database replication,administrtation audit log message locally on my acs appliance as CSV file ,
    Syslog server configuration is configured under all logging (passed , failed , administration , tacacs accounting ) , but i am surprise to see only passed authentication logg is sent out from acs appliance , Is there any patch to be installed for logg message scripting ?? , please advise ..

    Refer the link : https://supportforums.cisco.com/discussion/11513026/migrating-acs-420-421
    you can directly upgrade from 4.2.0.124 to 5.6 : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/migrate.html#98379

  • CUCM Syslog Message ISSUE (kernel: Exceeded hashlimit)

    Hello.
    Our Customer using CUCM 9.0 (PUB :1 , Sub : 4) and 4 Voice Gateway Cisco 3945 (16 E1 PRI per each Gateway)
    CUCMs have problem with syslog messages.
    I saw these messages in rtmt syslog
    - kernel:  Exceeded hashlimit IN=bond0 OUT= MAC=34:40:b5:d5:63:e8:1c:e6:c7:52:44:40:08:00 SRC=130.1.254.27 DST=130.1.13.11 LEN=204 TOS=0x00 PREC=0x00 TTL=246 ID=19646 PROTO=UDP SPT=19200 DPT=30546 LEN=184
    kernel:  Exceeded hashlimit IN=bond0 OUT= MAC=6c:ae:8b:67:1a:28:bc:16:65:12:99:7f:08:00 SRC=130.1.254.27 DST=130.1.14.13 LEN=204 TOS=0x18 PREC=0xA0 TTL=253 ID=42621 PROTO=UDP SPT=26694 DPT=26842 LEN=184
    What's the problem with these messages ?
    And how can I solve this problem
    Thanks.

    I used to have the same problem, it was a sip trunk against to one CME, just reset the sip trunk in CUCM it fixed the error. it is because the end poing is sending a lot of requests to CUCM

  • Unterstanding syslog messages from our wlc

    Hello,
    we use two wlc 4402 (4.1.181.0) and several leightweight accesspoints (AIR-AP1010-E-K9 and AIR-AP1030-E-K9 ) connected to them.
    On our syslog server we get a lot of messages from the two wlc, and there are 3 message types which I am a little bit afraid of.
    1. ca. 10 times per hour we get the message
    apf_80211.c:4792 APF-6-NO_CONFIG_CHANGES: Not saving 'apf.cfg' - no config changes."
    Cisco system message guide:
    Error Message %APF-6-NO_CONFIG_CHANGES: Not saving '[chars]' - no config changes.
    Explanation Not saving - no config changes.
    Recommended Action No action is required.
    Does anybody know why we get this messages and if it's possibly to suppress them?
    2. Intermittently (several times a day) we get the following message types:
    a) [ERROR] spam_l2.c 723: Max retransmissions reached on AP 00:0B:85:56:63:40 (CONFIGURE_COMMAND^M , 2)"
    b) [ERROR] spam_tmr.c 569: Did not receive hearbeat reply from AP 00:0b:85:56:ae:40"
    The MAC address is not every time the same but one of our accesspoints.
    On our network management system we get the following trap messages with nearly exactly the same timestamp:
    14.01.2008 04:21:56 CET
    AP ''00.0b.85.56.63.40'', interface ''0x1'' is down.
    When Airespace AP's interface operation status goes down this trap will be sent.
    bsnAPDot3MacAddress = 00.0b.85.56.63.40
    bsnAPIfSlotId = 0x1
    14.01.2008 04:21:56 CET
    AP disassociated from Switch.
    When an Airespace AP disassociates from a Airespace Switch, the AP disassociated notification will be sent with the dot3 MAC address of the Airespace AP. This will notify the management system to remove Airespace AP from this Airespace Switch.
    bsnAPMacAddrTrapVariable =
    14.01.2008 04:22:25 CET
    AP associated with Switch.
    When an Airespace AP Associates to a Airespace Switch, the AP associated notification will be sent with the dot3 MAC address of the Airespace AP. This will help the management system to discover the Airespace AP and add it to system.
    bsnAPMacAddrTrapVariable =
    bsnAPPortNumberTrapVariable = 1
    Cisco system message guide:
    a) Error Message %LWAPP-3-TX_ERR3: Max retransmissions for LWAPP control message reached on AP [hex]:[hex]:[hex]:[hex]:[hex]:[hex] for [chars] (number of pending messages is [dec])
    Explanation Maximum number of times an LWAPP control packet is transmitted before declaring the AP dead has been reached for this AP. The AP may not be on the network, or might have rebooted.
    Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
    b) Error Message %LWAPP-3-ECHO_ERR: Did not receive heartbeat reply; AP: [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
    Explanation Controller did not get a response for the AP heartbeat message. There may be connectivity issues between the AP and the controller.
    Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
    Because we don't see any network problems I'm wondering why the connection is lost.
    Does anybody have an idea, perhaps CSCsh13928 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh13928, but we don't have much traffic on the wlans) ?
    Is there any possibility to remotely check if the accesspoint rebooted?
    If you need further information please give me a short feedback.
    Many thanks in advance,
    Thorsten Steffen

    Thanks for the help.
    I have set up to send email and syslog messages from the RME applications. LMS server immediately started to send messages to the email server but syslog messages are not forwarded to the syslog server. Everything was done according to your instructions except that the name of the first script (syslog_forward.pl) is made consistent with what the second script (.bat) refer to (forward1.pl). What's the problem?  Do RME sends the standard syslog messages via UDP port 514?
    Sincerely.

  • LMS 4.2 not processing syslog messages

    I have a new install of LMS 4.2 on a virtual appliance.  No syslog messages are getting into LMS.  They are being received by the server, but are showing up in /var/adm/CSCOpx/log/dmgtd.log, and aren't getting processed by SyslogAnalyser.
    Here's the syslog.conf file:
         local6.info                                                                     /var/log/ade/ADE.log
         *.info;mail.none;news.none;authpriv.none;cron.none;local0.none;local1.none      /var/log/messages
         authpriv.*                                                                      /var/log/secure
         mail.*                                                                          -/var/log/maillog
         cron.*                                                                          /var/log/cron
         *.emerg                                                                         *
         uucp,news.crit                                                                  /var/log/spooler
         local7.*                                                                        /var/log/boot.log
         #Application LMS Generated config
         #BEGIN CSCOmd - DO NOT EDIT THESE COMMENTS OR CONTENTS CONTAINED WITHIN - local0 1
         local0.emerg;local0.alert;local0.crit;local0.err;local0.warning;local0.notice;local0.info;local0.debug  /var/adm/CSCOpx/log/dmgtd.log
         #END CSCOmd DO NOT EDIT BEFORE THIS LINE  1
         local7.info  /var/log/syslog_info
    My guess is that the incoming messages are getting written to the wrong file.  What do I need to change to correct this?

    I found that all of my syslog messages were being captured under /var/log/messages.  This was due to my Cisco devices being configured with "logging facility local5".  Instead of reconfiguring all of my devices to log to facility local7, I just changed the following line in syslog.conf and restarted (/etc/init.d/syslog restart)
    Before:
    local7.info  /var/log/syslog_info
    After:
    local5.*  /var/log/syslog_info
    Probably not the best way to do it, but it worked for me.
    -Rick

  • Syslog messages not showing

    Hello,
    I have a newly installed LMS 4.1 that had the Syslog feature working for a while.
    Recently, the Syslog is no longer displaying any records (neither new or old messages).
    Below are the steps I have tried to troubleshoot the problem:
    - Installed wireshark : Syslog messages are being received by the LMS server on time
    - In the Syslog.log file, I can see that all the Syslog messages are being logged properly
    - I tried to disable all the "Syslog Message Filters" but nothing changed
    In the SyslogCollector.log, I can find the below logs:
    NMSROOT is C:/PROGRA~2/CSCOpx
    propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
    Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
    NMSROOT is C:/PROGRA~2/CSCOpx
    propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
    SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,673, Logging System Initialized.
    SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,674, System Initialized.
    SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,684, Queue Cap 100000
    SyslogCollector - [Thread: main] WARN , 04 Mar 2013 14:54:45,468, Unable to resurrect connection to a subscriber.
    SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:45,491, Service started...
    I am not sure what to check now. Kindly your suggestions.
    Thanks,
    Justine.

    Hello,
    I have a newly installed LMS 4.1 that had the Syslog feature working for a while.
    Recently, the Syslog is no longer displaying any records (neither new or old messages).
    Below are the steps I have tried to troubleshoot the problem:
    - Installed wireshark : Syslog messages are being received by the LMS server on time
    - In the Syslog.log file, I can see that all the Syslog messages are being logged properly
    - I tried to disable all the "Syslog Message Filters" but nothing changed
    In the SyslogCollector.log, I can find the below logs:
    NMSROOT is C:/PROGRA~2/CSCOpx
    propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
    Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
    NMSROOT is C:/PROGRA~2/CSCOpx
    propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
    SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,673, Logging System Initialized.
    SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,674, System Initialized.
    SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,684, Queue Cap 100000
    SyslogCollector - [Thread: main] WARN , 04 Mar 2013 14:54:45,468, Unable to resurrect connection to a subscriber.
    SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:45,491, Service started...
    I am not sure what to check now. Kindly your suggestions.
    Thanks,
    Justine.

  • Receive syslog messages from remote system

    I want to replace my ancient and aging Slackware 12.0 server with an Arch server. One of the hurdles is to receive syslog messages (UDP/IP, port 514) over the network from a Cisco 678 DSL modem/router, and from a DD-WRT based wireless access point.
    How do I go about getting a systemd-based Arch server to receive syslog-formatted messages from the network on UDP port 514?
    I'm not looking to view the Arch system's journal over the network, but rather to receive non-local messages and log them.
    Last edited by bediger4000 (2013-08-01 15:44:48)

    WonderWoofy: I hope you mean "man systemd-journal-gatewayd", as I find that man page, but not "systemd-journal-gateway".  systemd-journal-gatewayd works the other way. According to the man page it "serves journal events over the network. Clients must connect using HTTP."
    sbmomeni: I agree that your reference says the systemd journal provides the same function - but how?  And does "this functionality" refer to the logging part of syslog-ng, or to the receiving messages from other machines part?

  • Discriminate between syslog messages - targets

    Hi there,
         I might be trying to do the impossible here, but I am trying to get my ASA 8.2(1) to send certain syslog messages to one host and other messages to another host.
         By default we are using facility 23 as our logging facility.  Logging trap is set to informational and there are 2 hosts that I am logging to.  Both host are receiving all the informational messages that are being sent.  One of the hosts is being overwelmed by the amount of traffic.  This host only needs to receive the syslog message 111008, and no others. I have been trying to figure out how to send only this one message to the host, but syslog seems to be an all or nothing proposition.  Any ideas?  Regardless of what I come up with, it always seems that all hosts receive whatever I configure.  I can't seem to define syslog traffic on a per target basis. 

    You are right. You can't define 2 syslog servers to send 2 different list of syslog messages. However, you can define seperate list of syslog messages, and send 1 list to syslog server, and send another list to buffer for example.
    Here is the example for your reference:
    logging list 111008-list message 111008
    logging list the-rest-list message 101001-111007
    logging list the-rest-list message 111009-742010
    logging buffered 111008-list
    logging trap the-rest-list
    Hope that helps.

  • Solaris 9 syslog messages are IP not hostname

    I am trying to setup Solaris 9 to forward its syslog messages to a central server, and its working fine except the logs being sent have the IP address and not the hostname. Is there a way to change this? Thanks

    no, i mean you will need to put entries for the remote hosts on your central server, or set up IN NS records in your nameserver for reverse mappings from IP -> host (not host -> IP).
    Shouldn't need any switches or config changes to syslogd for it to work.
    Also, check your /etc/nsswitch.conf file has at least "files dns" set for hosts.

  • RME (LMS 3.2) No detect Change Configuration automatically by Syslog Messages

    Hi,
    I have a problem with the "change audit" for Syslog messages trigger. I set all my devices to send Syslog messages to the CiscoWorks server. When I make any changes to syslog message is sent correctly for the CiscoWorks server, but it does not start automatically collects configuration (config fetch).
    Only when I start manually "sync archive" the configuration is stored and detected the change in configuration.
    Has not changed anything in config fetch "to" Automated actions Syslog ".
    Thanks

    Hi,
    You an check RME  > Tools > Syslog > Automated Actions to verify nothing was changed.
    Then display 'Config Fetch'. There is contextual help available:
    http://:1741/help/rme/fundamentals/index.html?syslog_Defining_Automatd_Actions.html#wp1211314
    Nick

  • ASR1000 CUBE SP syslog messages

    Hi,
    we're trying to integrate our SBC instances (CUBE SP on ASR1000) into our network management system (EMC SMARTS)
    Syslog messages from SBC instances are some kind of cumbersome with lot of line breaks resulting in multiple syslog messages the NMS must parse.
    Example:
    %SBC-3-MSG-6406-0006-ADD5A3-1575
    Message Editor received a message with an unknown editor in
    the edit sequence. The editor will be ignored.
    Editor name: default
    How do I configure it to just put it all into one line just as "normal" log messages?
    Example:
    %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed to up
    Thanks
    Sebastian

    Hi,
    thanks for replying.
    I went already through this, seems I have to write some kind of script to get SBC messages into one line.
    Do you have an idea for this very simple task?
    Still wondering I'm the first to stimble upon it
    Sebastian

  • Syslog messages AP541

    Hi community,
    to find the reason for my connection problems to our network over a AP541N
    I have configured the AP541 to send its syslog messages to a syslog server.
    Now I am looking for a document where I can find informations about the received
    messages.
    For example, what means
    hostapd: wlan0: IEEE 802.11 STA 78:a3:e4:3e:f7:19 deauthed from BSSID 00:21:29:03:18:40 reason 3
    or
    hostapd: wlan0: IEEE 802.11 STA 58:1f:aa:2c:96:4b disassociated from BSSID 00:21:29:03:18:40 reason 8
    Are there documents where the messages are explained ?
    Regards
    Joachim

    Here is a document for cisco wireless access controller client reason codes:
    http://www.cisco.com/en/US/docs/wireless/controller/3.2/configuration/guide/c32err.html
    Client Reason Code…Description…Meaning
    0…noReasonCode…Normal operation.
    1…unspecifiedReason…Client associated but no longer authorized.
    2…previousAuthNotValid…Client associated but not authorized.
    3…deauthenticationLeaving…The access point went offline, deauthenticating the client.
    4…disassociationDueToInactivity…Client session timeout exceeded.
    5…disassociationAPBusy…The access point is busy, performing load balancing, for example.
    6…class2FrameFromNonAuthStation…Client attempted to transfer data before it was authenticated.
    7…class2FrameFromNonAssStation…Client attempted to transfer data before it was associated.
    8…disassociationStaHasLeft…Operating System moved the client to another access point using non-aggressive load balancing.
    9…staReqAssociationWithoutAuth…Client not authorized yet, still attempting to associate with an access point.
    99…missingReasonCode…Client momentarily in an unknown state.

  • Recivining and analyzing syslog messages from facility local3 on LMS4.2 soft appliance.

                       HI,
    all of our enterprise switches are sert to send syslog messages from facility local3. this is partly because our linux syslog server loggs its boot syslog  messages from  facility local7 an we could't use the default  facility of local7 on our cisco switches. LMS4.2s syslog daemon is set to recieve syslog messages from facility local7. how can i change it so that it can listen for facility local3 and also make sure the syloganalyzer and automated action  work fine.
    thanks,
    Kerim

    Hi All,
    I thought it is a good idea to share the workaround my colleague came up with for this prolem. there is a file called syslog-entries.txt under /opt/CSCOpx/conf. he added all the entries we needed like :
    local3.*     /var/log/syslog_info
    local5.*   /var/log/syslog_info
    the change was automatically reflected on syslog.conf
    now we receve alerts from facilities 3 and 5 besides 7.  hope this helps anyone who run into the same issue.

  • Prime Infra 2.0 alert when syslog message received

    Dear member,
    May I know did prime infra 1.3, 2.0 can support alerted user when received a syslog message?
    if yes, and configiuration guide for reference?
    Regards

    Hi Russ,
    PI does not actually keep a record of the raw syslog  messages it receives, and there is no report for syslogs. When PI receives a syslog, it will immediately process the message and convert it to an event/alarm.
    Also, note that PI only processes severity 1 and 2 syslogs. The closest thing you can get to a  syslog report
    would be to run anadvanced search for events
    For other alarms and events you can go to Operate > Alarms
    & Events > Email Notification page. Make sure that the alarm categories that you
    want to have notifications for also has the Enable checkbox checked.
    Thanks-
    Afroz
    [Do rate the useful post]

Maybe you are looking for

  • Help with transferring contacts and messages

    Hi there - I would be grateful if someone could help me . I need to transfer my contacts and messages from my iPhone 4 to iPhone 5- Is there an easy way of doing this Manu thanks

  • The Windows support software is not available.

    This error message appears when I try to download the windows support software. What do I do?

  • Spot from the hands on the housing of macbook pro

    Working behind the macbook pro laptop of 2012 of 13 inches, I found after a while traces from hands where they settle down for the press! It isn't erased by anything. such feeling as corroded paint! what ways of the solution of this problem are? ? ?

  • STO's created from TLB

    Hello Experts: When I create STO's, I don't see any source of default values, like Delivery Tolerance, Confirmation control key, etc, that for a PO usually come from the Vendor or The Info Record. We have managed to add these values via BADI, but for

  • Waiting time before operation in APO

    Dear All, I have a questions regarding the waiting time of operations with APO. Our customer wants to have a waiting time befor the operation. In R/3 there is no problem as we can use 'Wait time' to define the inter-operation time. But in APO 'wait t