(config)#shut, no shutHave you tried turning it off and on again?

SecureCRT – Session Logging

Session logging can prove extremely useful when recollecting events during troubleshooting scenarios or even configuration-binges.

SecureCRT’s logging settings allow the use of variables to define the filename/path. I’ve configured my default session to log every session whether I’m troubleshooting or just poking around.

I also have a custom windows environment variable that points %SessionLogs% to the directory of my choosing. This permits me to sync my sessions folder across multiple computers and VMs without having to worry about maintaining a similar directory structure on all of them.

Tip: For troubleshooting, I also like maintain a NP++ or quick handwritten notes with timestamps for significant events, so I can cross-reference them with my timestamped SecureCRT logs.

Default Session Log File Settings

SecureCRT: Options > Edit Default Session… > Terminal > Log File

Log file name:

[code]%SessionLogs%\%Y.%M%D\%Y.%M%D-%S_%COMPUTERNAME%.%USERNAME%.log[/code]

Options

  • Start log upon connect
  • Append to file
  • Start new log at midnight

Custom log data > Upon connect:

[code]!!!!!CONNECT [%Y/%M/%D – %S – %COMPUTERNAME%\%USERNAME%][/code]

Custom log data > Upon disconnect:

[code]!!!!!DISCONN [%Y/%M/%D – %S – %COMPUTERNAME%\%USERNAME%][/code]

Custom log data > On each line:

[code]%h:%m:%s — [/code]

Resultant Data

File Name: C:\Users\Derek\<omitted>\Misc\SecureCRT\SessionLogs\2018.0312\2018.0312-EDGE-FTD-01_DS-P51.Derek.log

Contents:

[code]13:14:19 — !!!!!CONNECT [2018/03/12 – EDGE-FTD-01 – DS-P51\Derek]
13:14:19 — User derek logged in to EDGE-FTD-01
13:14:19 — Logins over the last 3 days: 4. Last login: 13:14:08 PST Feb 1 2018 from 10.19.1.107
13:14:19 — Failed logins since the last login: 0.
13:14:19 — Type help or ‘?’ for a list of available commands.
13:14:21 — EDGE-FTD-01# sh run access-gr
13:14:21 — access-group inside-in in interface inside
13:14:21 — access-group outside-in in interface outside
13:14:21 — access-group dmz-in in interface dmz
13:14:21 — EDGE-FTD-01#
13:14:22 — !!!!!DISCONN [2018/03/12 – EDGE-FTD-01 – DS-P51\Derek][/code]

Considerations

Using Notepad++ I can use CTRL-F > Find All in Current Document to find events like !!!!!CONNECT, !!!!!DISCONN, <hostname>#, etc.

The %COMPUTERNAME% environment variable is used because my SecureCRT config folder is synced across my workstations/jumpboxes that all write to the same SessionLogs folder, which is also synced; this separates the log files based on the computer I was connecting from.

Tags: , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.