Symptom

A switch configured with `login on-success log` is not generating any syslog (either remotely or in `show logging log`) for the successful logins.

Conditions

1. Nexus switch running a version of NX-OS that supports the `login on-success log` command 2. Successful login messages are not seen in either `show logging log` nor on remote syslog servers (e.g. logging server x.x.x.x) 3. Logging for "authpriv" is set to `logging level authpriv 3`

Workaround

The documentation should actually state that at `logging level authpri 3` will add no additional logs, logs will appear regarding a successful login once the logging level is increased to `logging level authpri 6`. Also due to the local logging logfile being by default set to syslog severity 5 (notification) we will not see these logs in the local syslog until we run the `logging logfile messages 6` command. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ conf t login on-success log logging level authpri 6 ! ! Adding logging level 6 for daemon will add additional logs like ! logging level daemon 6 logging server x.x.x.x 6 use-vrf management ! ! In order to see this just locally in `show logging log` we would also need to add the following configuration: ! logging logfile messages 6 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + Below are examples from lab testing of all the different permutations of configuration and the logs expected at those logging levels. Each of the following had a single successful login and the logs recorded. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # no login on-success log # no logging level authpriv 3 # no logging level daemon 3 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # login on-success log # no logging level authpriv 3 # no logging level daemon 3 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # no login on-success log # logging level authpriv 6 # logging level daemon 3 %AUTHPRIV-6-SYSTEM_MSG: change user 'jason' password - usermod[27325] %AUTHPRIV-6-SYSTEM_MSG: delete 'jason' from group 'vdc-admin' - usermod[27325] %AUTHPRIV-6-SYSTEM_MSG: add 'jason' to group 'vdc-admin' - usermod[27367] %AUTHPRIV-6-SYSTEM_MSG: pam_unix(dcos_sshd:session): session opened for user jason by (uid=0) - dcos_sshd[27317] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # login on-success log # logging level authpriv 6 # logging level daemon 3 %AUTHPRIV-6-SYSTEM_MSG: change user 'jason' password - usermod[23249] %AUTHPRIV-6-SYSTEM_MSG: delete 'jason' from group 'vdc-admin' - usermod[23249] %AUTHPRIV-6-SYSTEM_MSG: add 'jason' to group 'vdc-admin' - usermod[23289] %AUTHPRIV-6-SYSTEM_MSG: pam_aaa:Authentication success for user jason from 192.0.2.88 - dcos_sshd[23240] <<<<<<<<<<< added with `login on-success log` %AUTHPRIV-6-SYSTEM_MSG: pam_unix(dcos_sshd:session): session opened for user jason by (uid=0) - dcos_sshd[23238] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # no login on-success log # logging level authpriv 6 # logging level daemon 6 %DAEMON-6-SYSTEM_MSG: Outbound-ReKey for 192.0.2.88:17873 [preauth] - dcos_sshd[21504] %DAEMON-6-SYSTEM_MSG: Inbound-ReKey for 192.0.2.88:17873 [preauth] - dcos_sshd[21504] %DAEMON-6-SYSTEM_MSG: Postponed keyboard-interactive for jason from 192.0.2.88 port 17873 ssh2 [preauth] - dcos_sshd[21504] %AUTHPRIV-6-SYSTEM_MSG: change user 'jason' password - usermod[21515] %AUTHPRIV-6-SYSTEM_MSG: delete 'jason' from group 'vdc-admin' - usermod[21515] %AUTHPRIV-6-SYSTEM_MSG: add 'jason' to group 'vdc-admin' - usermod[21555] %DAEMON-6-SYSTEM_MSG: Postponed keyboard-interactive/pam for jason from 192.0.2.88 port 17873 ssh2 [preauth] - dcos_sshd[21504] %DAEMON-6-SYSTEM_MSG: Accepted keyboard-interactive/pam for jason from 192.0.2.88 port 17873 ssh2 - dcos_sshd[21504] <<<<<<<<<<< Added with Daemon 6 %AUTHPRIV-6-SYSTEM_MSG: pam_unix(dcos_sshd:session): session opened for user jason by (uid=0) - dcos_sshd[21504] %DAEMON-6-SYSTEM_MSG: Inbound-ReKey for 192.0.2.88:17873 - dcos_sshd[21582] %DAEMON-6-SYSTEM_MSG: Outbound-ReKey for 192.0.2.88:17873 - dcos_sshd[21582] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # login on-success log # logging level authpriv 6 # logging level daemon 6 %DAEMON-6-SYSTEM_MSG: Outbound-ReKey for 192.0.2.88:17906 [preauth] - dcos_sshd[22506] %DAEMON-6-SYSTEM_MSG: Inbound-ReKey for 192.0.2.88:17906 [preauth] - dcos_sshd[22506] %DAEMON-6-SYSTEM_MSG: Postponed keyboard-interactive for jason from 192.0.2.88 port 17906 ssh2 [preauth] - dcos_sshd[22506] %AUTHPRIV-6-SYSTEM_MSG: change user 'jason' password - usermod[22526] %AUTHPRIV-6-SYSTEM_MSG: delete 'jason' from group 'vdc-admin' - usermod[22526] %AUTHPRIV-6-SYSTEM_MSG: add 'jason' to group 'vdc-admin' - usermod[22565] %AUTHPRIV-6-SYSTEM_MSG: pam_aaa:Authentication success for user jason from 192.0.2.88 - dcos_sshd[22508] <<<<<<<<<<< added with `login on-success log` %DAEMON-6-SYSTEM_MSG: Postponed keyboard-interactive/pam for jason from 192.0.2.88 port 17906 ssh2 [preauth] - dcos_sshd[22506] %DAEMON-6-SYSTEM_MSG: Accepted keyboard-interactive/pam for jason from 192.0.2.88 port 17906 ssh2 - dcos_sshd[22506] %AUTHPRIV-6-SYSTEM_MSG: pam_unix(dcos_sshd:session): session opened for user jason by (uid=0) - dcos_sshd[22506] %DAEMON-6-SYSTEM_MSG: Inbound-ReKey for 192.0.2.88:17906 - dcos_sshd[22591] %DAEMON-6-SYSTEM_MSG: Outbound-ReKey for 192.0.2.88:17906 - dcos_sshd[22591] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Further Problem Description