Guest

Preview Tool

Cisco Bug: CSCul18521 - Audit records MUST log to External Syslog servers: VGA CLI AUTHC

Last Modified

Jun 07, 2016

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.2(0.899)

Description (partial)

Symptom:
1. External Syslog Servers fail to receive the audit record.
2. Auditable event records appear in the CLI command but on a locally stored file:

hostname/username# show logging system secure

2013-11-01T23:37:51.741899+00:00 sec-sns-3495 login: pam_unix(login:auth): authe
ntication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=marti
nf43

hostname/username# show logging system secure

2013-11-01T23:38:09.302016+00:00 sec-sns-3495 login: pam_unix(login:session): se
ssion opened for user martinf43 by LOGIN(uid=0)
2013-11-01T23:38:09.312082+00:00 sec-sns-3495 login: Deprecated pam_stack module
 called from service "login"
2013-11-01T23:38:09.312105+00:00 sec-sns-3495 login: Deprecated pam_stack module
 called from service "login"
2013-11-01T23:38:09.312115+00:00 sec-sns-3495 login: pam_tally(login:setcred): u
nknown option: no_magic_root
2013-11-01T23:38:09.312125+00:00 sec-sns-3495 login: LOGIN ON tty1 BY martinf4

Conditions:
1. Using local VGA console and keyboard to authenticate to the Command Line Interface (CLI).

SSH remote authentications are unaffected by this problem.

2. Use an External Syslog Server to monitor auditing events.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.