Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1317
Views
0
Helpful
16
Replies

Displaying AAA username in syslog

codewize
Level 1
Level 1

‎02-26-2024 08:13 AM - edited ‎02-26-2024 08:13 AM

Firepower 1010 locally managed
Failed login attempts are logged as 'user = *****'
I need to be able to see those attempted user names like ASA would do.

How can I do that?

 

 

0 Helpful
16 Replies 16

codewize
Level 1
Level 1
In response to MHM Cisco World

‎03-09-2024 07:56 PM - edited ‎03-09-2024 08:09 PM

Sure, so lets first agree that the command we're creating in FlexConfig is either
no logging hide username
or
no loggin hide username

Correct? Based on what's been said here. I want you to know also that this command DOES work on ASA and I have also deployed it on FP 2100 and 4100 devices succesfully.

OK so on my 1010 FDM managed
I go to the top menu Device > Advanced Configuration
FlexConfig > FlexConfig Objects
I Click the + to create a new object.
I named it no-hide-user
In the template box I put "no logging hide username" without the quotes of course.
Or "no loggin hide username"
Click OK and it puts a red box around the template area saying that the command is invalid syntax

If I do "no log hide username" it will save that. I was trying any rendition of the verbiage.
Go to FlexConfig Policy, use the + to add the new object to the existing policy
Save and deploy

The deploy fails because anything after the word log in that context is invalid input.

By the way. I am CCNP VPN currently studying to sit for the Firepower specialty exam. I built, deployed and manage a larger Firepwoer environments with 14 mixed devices including ASA with Firepower services. This is not my first experience nor am I new to Firepower.  
I will say I have not done a lot of FlexConfig but I certainly understand how it works now.
However, having said that, the 1010 I have at home is a bit of a different animal, somewhat like the 5505 was back in the day. Definitely NOT the same as the larger devices, so I'm wondering if this command is not valid on the 1010.

0 Helpful

davparker
Level 1
Level 1

‎05-02-2024 03:53 PM

I have this same problem. We are migrating to FMC managed firepower but I have two sites still running locally managed FDM. I can't find any variation of the "no hide logging username" in the FlexConfig object that will not get rejected. In FMC I had to use "no loggin hide username". It appears our firewalls are being targeted by brute force VPN logins. Trying to identify which accts they are trying. On FMC I ended up deploying a control plane acl to block the IPs. No sure I'll be able to do that yet on FDM.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card