Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vengatesh_SR
Contributor
Jump to solution

Gateway cli login logs

Hi Guys,

1) We having the MDS setup and tacacs enabled on it.

2) Whenever the users are logged into gateway cli we are unable to see the logs in the smart view tracker --> mgmt tab.

3) Earlier it was reflecting with the information when the user logged and what the users have changed it on the cli.

4) Now we can see only the login and logout logs for the smart console not for the gateway cli.

5) we are using r77.30

Is the any way we can t.shoot it ?

1 Solution

Accepted Solutions
JozkoMrkvicka
Authority
Authority

You will see in mgmt tab only logs related to MDS / CMA (for example policy push, creation/modification/deletion of rule, ...).

If you want to see what happened on CLI of gateway, check /var/log/messages.

For login (authentification) logs, check /var/log/secure.

Kind regards,
Jozko Mrkvicka

View solution in original post

11 Replies
JozkoMrkvicka
Authority
Authority

You will see in mgmt tab only logs related to MDS / CMA (for example policy push, creation/modification/deletion of rule, ...).

If you want to see what happened on CLI of gateway, check /var/log/messages.

For login (authentification) logs, check /var/log/secure.

Kind regards,
Jozko Mrkvicka
Maarten_Sjouw
Champion
Champion

Only problem with the /var/log/messages file is the size and  the number of saved revisions, which defaults to 64KB and 4 files. This can be easily adjusted with the command:

      /bin/log_start limit 0 8388608 10

This will set the filesize to 8MB and the number of files to 10.

you could use the followinf command to display all login and logout entries:

      cat message* | grep User

Regards, Maarten
0 Kudos
JozkoMrkvicka
Authority
Authority

Or configure syslog server and send all syslog messages to it for further checks and better solution (filtering based on facility or severity).

Kind regards,
Jozko Mrkvicka
0 Kudos
Vladimir
Champion
Champion

Try:

Vincent_Bacher
Advisor
Advisor

And maybe customize syslog as per sk92798 might be useful?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Vladimir
Champion
Champion

Possibly, but I'm not sure how: The solution does allow for creation of additional syslog facilities and adjustments to the logs written to those, but I do not know how to specify which facility will be writing those messages to the CPlog.

0 Kudos
Vincent_Bacher
Advisor
Advisor

If i have time, I'll test in my VM lab environment.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vladimir
Champion
Champion

Thanks! Let us know what you'll find out.

0 Kudos
Vincent_Bacher
Advisor
Advisor

That works partially. Just added a line to /etc/syslog.conf

user.info                       /var/log/messages

Log in is logged (log out as well)

Time:                   2018-08-09T06:17:57Z
Id:                     0a012804-8d8e-b307-5b6b-f8b500280000
Id Generated By Indexer:true
First:                  true
Sequencenum:            2
Default Device Message: <86>sshd[12082]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Facility:               security/authorization messages
Syslog Severity:        Informational
Product Category:       OS
User:                   admin
Login Status:           succeeded
Action:                 Log In
Type:                   Log
Blade:                  Linux OS
Origin:                 gw
Product Family:         Network

and i see clish activity, for instance when deleting a route

Time:                   2018-08-09T06:18:26Z
Id:                     0a012804-8d0e-b407-5b6b-f8d20018000e
Id Generated By Indexer:true
First:                  true
Sequencenum:            2
Default Device Message: <13>clish[12138]: cmd by admin: Processing : set static-route 1.2.3.4/32 nexthop gateway address 1.1.1.1 off (cmd md5: 95155c9669bb592dc869622678b8c821)
Facility:               user-level messages
Syslog Severity:        Notice
Type:                   Log
Blade:                  Syslog
Origin:                 gw
Product Family:         Network
Description:            

but i don't see expert level activity. Just set an interface down using ifconfig and up again and nothing is displayed in syslog/SmartLog.

Don't know if more can be enabled, was just a quick test, cause i was interested.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
B_P
Advisor

Is there a way to search SmartConsole for specific changes? For example, I changed a DNS entry via Gaia web and I can see it logged in SmartConsole, but I can't return the specific log via any kind of specific search -- i.e. my username, or "DNS" or anything really.

0 Kudos
JozkoMrkvicka
Authority
Authority
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events