Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Gateway cli login logs

Jump to solution

Hi Guys,

1) We having the MDS setup and tacacs enabled on it.

2) Whenever the users are logged into gateway cli we are unable to see the logs in the smart view tracker --> mgmt tab.

3) Earlier it was reflecting with the information when the user logged and what the users have changed it on the cli.

4) Now we can see only the login and logout logs for the smart console not for the gateway cli.

5) we are using r77.30

Is the any way we can t.shoot it ?

1 Solution

Accepted Solutions
Highlighted

You will see in mgmt tab only logs related to MDS / CMA (for example policy push, creation/modification/deletion of rule, ...).

If you want to see what happened on CLI of gateway, check /var/log/messages.

For login (authentification) logs, check /var/log/secure.

Kind regards,
Jozko Mrkvicka

View solution in original post

11 Replies
Highlighted

You will see in mgmt tab only logs related to MDS / CMA (for example policy push, creation/modification/deletion of rule, ...).

If you want to see what happened on CLI of gateway, check /var/log/messages.

For login (authentification) logs, check /var/log/secure.

Kind regards,
Jozko Mrkvicka

View solution in original post

Highlighted
Champion
Champion

Only problem with the /var/log/messages file is the size and  the number of saved revisions, which defaults to 64KB and 4 files. This can be easily adjusted with the command:

      /bin/log_start limit 0 8388608 10

This will set the filesize to 8MB and the number of files to 10.

you could use the followinf command to display all login and logout entries:

      cat message* | grep User

Regards, Maarten
0 Kudos
Highlighted

Or configure syslog server and send all syslog messages to it for further checks and better solution (filtering based on facility or severity).

Kind regards,
Jozko Mrkvicka
0 Kudos
Highlighted
Champion
Champion

Try:

Highlighted

And maybe customize syslog as per sk92798 might be useful?

and now to something completely different
0 Kudos
Highlighted
Champion
Champion

Possibly, but I'm not sure how: The solution does allow for creation of additional syslog facilities and adjustments to the logs written to those, but I do not know how to specify which facility will be writing those messages to the CPlog.

0 Kudos
Highlighted

If i have time, I'll test in my VM lab environment.

and now to something completely different
0 Kudos
Highlighted
Champion
Champion

Thanks! Let us know what you'll find out.

0 Kudos
Highlighted

That works partially. Just added a line to /etc/syslog.conf

user.info                       /var/log/messages

Log in is logged (log out as well)

Time:                   2018-08-09T06:17:57Z
Id:                     0a012804-8d8e-b307-5b6b-f8b500280000
Id Generated By Indexer:true
First:                  true
Sequencenum:            2
Default Device Message: <86>sshd[12082]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Facility:               security/authorization messages
Syslog Severity:        Informational
Product Category:       OS
User:                   admin
Login Status:           succeeded
Action:                 Log In
Type:                   Log
Blade:                  Linux OS
Origin:                 gw
Product Family:         Network

and i see clish activity, for instance when deleting a route

Time:                   2018-08-09T06:18:26Z
Id:                     0a012804-8d0e-b407-5b6b-f8d20018000e
Id Generated By Indexer:true
First:                  true
Sequencenum:            2
Default Device Message: <13>clish[12138]: cmd by admin: Processing : set static-route 1.2.3.4/32 nexthop gateway address 1.1.1.1 off (cmd md5: 95155c9669bb592dc869622678b8c821)
Facility:               user-level messages
Syslog Severity:        Notice
Type:                   Log
Blade:                  Syslog
Origin:                 gw
Product Family:         Network
Description:            

but i don't see expert level activity. Just set an interface down using ifconfig and up again and nothing is displayed in syslog/SmartLog.

Don't know if more can be enabled, was just a quick test, cause i was interested.

and now to something completely different
0 Kudos
Highlighted
Contributor

Is there a way to search SmartConsole for specific changes? For example, I changed a DNS entry via Gaia web and I can see it logged in SmartConsole, but I can't return the specific log via any kind of specific search -- i.e. my username, or "DNS" or anything really.

0 Kudos
Highlighted