SDN/SDDC Retreat in Miami, Florida (November 4th-6th)
Separate SDN hype from real life!

Log terminal access to your router

In a previous post, I've shown how you can log the changes in interactive user's privilege level. With the Cisco IOS Login Enhancements (introduced in IOS release 12.3(4)T, integrated in 12.4), you can also log all login successes and failures, even when using local user database (a similar functionality was previously achievable only when using central TACACS+ or RADIUS server).

The configuration commands to enable terminal access logging are login on-success log and login on-failure log. You can also specify that you want send SNMP traps in these circumstances (with the trap option) or that you only want to log every Nth attempt with the every n option.After you've configured terminal access logging, the router will start to generate syslog messages similar to the ones below (localport: 23 indicates the user was using telnet to access the router, localport: 80 that she was using HTTP):

%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source:] [localport: 23] at 19:10:27 UTC Sat Dec 2 2006
1d04h: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: a] [Source:] [localport: 80] [Reason: Login Authentication Failed - BadPassword] at 19:35:53 UTC Sat Dec 2 2006
If the user accesses the router through the console port, both the source and localport are set to all zeroes:
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source:] [localport: 0] at 19:10:48 UTC Sat Dec 2 2006


  1. Hi there,

    I telnet to the router with local authentication and the username doesn't get displayed for some reason. Any idea why?


    2007-11-08 13:36:36 Router_1 - Login Success [user: ] [Source:] [localport: 23] at 13:31:12 AEDT Thu Nov 8 2007

  2. Hi Peter!

    I've just re-tested this feature with non-AAA and AAA local authentication in IOS release 12.4(15)T1. It reported the username in both cases, so you're probably hitting a bug.

  3. I get the same thing no userid displayed

  4. Yes it is a bug


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.