Cisco – Intermapper SNMP trap probe

ciscosnmp

What I have got set up are my Cisco switches send SNMP traps to my intermapper server. I did that so I could see who is logging in or trying to log in. That part is working. What I need to do is create a probe, then I can set up notifications and so on.

The SNMP trap looks like this

SNMPv2-SMI::enterprises.9.9.41.2 (1) { "SEC_LOGIN", "5", "LOGIN_FAILED", "Login failed [user: admin] [Source: 10.1.1.45] [localport: 22] [Reason: Login Authentication Failed] at 22:39:45 MDT Tue Jul 16 2013", "902084201" }

What I am trying to accomplish is the availability to notify me when someone logs into the switches. Since I am the only one who logs into them it would be nice to see if someone try to log in or actually logs in.

Best Answer

If all you need is login notification and if you don't care about SNMP vs Syslog, you can use IOS built-in syslog for authentication failures and success. It also can block IP addresses with failed logins.

login block-for 300 attempts 5 within 60
login on-failure log
login on-success log

This is the message for success

Jul 18 06:55:26.408: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco]
 [Source: 10.10.1.5] [localport: 23] at 06:55:26 UTC Thu Jul 18 2013

This is the message for a telnet failure

Jul 18 06:56:16.963: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] 
 [Source: 10.10.1.5] [localport: 23] [Reason: Login Authentication Failed] at 06:56:16 UTC 
 Thu Jul 18 2013

Best Answer

Related Solutions

SNMP v2: What is the difference between SNMP v2c and SNMP v2u

No Response SNMP

Related Topic