How to be alerted when someone connects to your Cisco router via Telnet or SSH, or makes a config change.

There are two basic methods. The first involves configuring the router to log incoming TELNET or SSH connections, via syslog as follows:

config t
access-list 1 permit {xxx.xxx.xxx.xxx} log
line vty 0 4
access-class 1 in

This will allow incoming connections on lines VTY 0-4 to be logged via syslog. NB: the logging is only applied to the IP address {xxx.xxx.xxx.xxx} in the access-list command, and the logging generated applies only to the initial connection, not the login itself.

The only other way to detect if someone is trying to telnet or SSH to your Cisco routers, is to use TACACS for your login authentication. This method has the added benefit of allowing authentication information to be logged as well. Then when someone tries to login, the event will be captured in the TACACS log. Depending on your TACACS server, you may be able to forward the login events via syslog, to Kiwi Syslog Server.

The syslog message generated when someone makes a config change on a Cisco router looks like this: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.0.1)

You can configure Kiwi Syslog Server to look for the "%SYS-5-CONFIG_I:" string in the message text, and have it shown on a separate display.

For example, your rules would look like this...

Rules
Rule: Default
Filters (None)
Actions
Display (Display to 00)
Log to file: SyslogCatchAll.txt
Rule: Config Changes
Filters
Simple, Message Text filter
Include: "%SYS-5-CONFIG_I:"
Actions
Display (Display to 01)
Log to file: ConfigChanges.txt

The default Rule would capture all events and display them to display 00 and log them to SyslogCatchAll.txt.

The second Rule (Config Changes) would just match the "%SYS-5-CONFIG_I:" text, display these messages on Display 01, and log just these messages to the ConfigChanges.txt file.

NB: You can change the display names from "Display 00" and "Display 01" to any text you like. This can be done from the Display section on the Properties page.

FYI: The "Message Text" filter type is only available in the full version. You can request a 30 day trial key from: www.kiwisyslog.com/trial.

Start by using the default settings on Kiwi Syslog Server, and see what messages you receive. Then you can start adding filters and actions as you know what to expect.

On your router, you will see that if you enter config mode and exit (Config T, then end) a message will be generated and sent to Kiwi Syslog Server that looks like: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.0.1)

Cisco routers can generate a telnet session disconnection event via an SNMP trap. Kiwi Syslog Server can also receive and decode SNMP traps. See the Inputs | SNMP section of the properties page for the options available.