How to log success and failure logins on Cisco Catalyst 3750 switches to Splunk or syslog server.

Here is how I have my Cisco 3750 switches configured to log , success and failures to my syslog server. I use Splunk currently to capture and report this data.

1. Access your Cisco switch via command line.
2. Type enable (enter)
3. Type Password (enter)
4. Type config t (enter)
5. Your now in config mode, first setup your syslog server. Example – Type logging (substitute your syslog or splunk server) (enter)
6. Type login on-failure log (enter)
7. Type login on-success log (enter)
8. Type logging trap informational (enter)
9. CTRL-C (brings you back to host#
10. Type wr mem (enter) – This writes the config to memory (saves config)

Log out of your switch, and then ssh back in to generate some log data to your syslog. You should see something like this generated:

8/8/12 9:53:51.000 PM
Aug 8 21:53:51 switch.internal.lan 23: 000046: Aug 9 02:53:49: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source:] [localport: 22] at 02:53:49 UTC Thu Aug 9 2012
host=switch.internal.lan Options| sourcetype=syslog Options| source=udp:514