(config)#shut, no shutHave you tried turning it off and on again?

SecureCRT – Session Logging

Session logging can prove extremely useful when recollecting events during troubleshooting scenarios or even configuration-binges.

SecureCRT’s logging settings allow the use of variables to define the filename/path. I’ve configured my default session to log every session whether I’m troubleshooting or just poking around.

I also have a custom windows environment variable that points %SessionLogs% to the directory of my choosing. This permits me to sync my sessions folder across multiple computers and VMs without having to worry about maintaining a similar directory structure on all of them.

Tip: For troubleshooting, I also like maintain a NP++ or quick handwritten notes with timestamps for significant events, so I can cross-reference them with my timestamped SecureCRT logs.

Default Session Log File Settings

SecureCRT: Options > Edit Default Session… > Terminal > Log File

Log file name:

%SessionLogs%\%Y.%M%D\%Y.%M%D-%S_%COMPUTERNAME%.%USERNAME%.log

Options

  • Start log upon connect
  • Append to file
  • Start new log at midnight

Custom log data > Upon connect:

!!!!!CONNECT [%Y/%M/%D - %S - %COMPUTERNAME%\%USERNAME%]

Custom log data > Upon disconnect:

!!!!!DISCONN [%Y/%M/%D - %S - %COMPUTERNAME%\%USERNAME%]

Custom log data > On each line:

%h:%m:%s -- 

Resultant Data

File Name: C:\Users\Derek\<omitted>\Misc\SecureCRT\SessionLogs\2018.0312\2018.0312-EDGE-FTD-01_DS-P51.Derek.log

Contents:

13:14:19 -- !!!!!CONNECT [2018/03/12 - EDGE-FTD-01 - DS-P51\Derek]
13:14:19 -- User derek logged in to EDGE-FTD-01
13:14:19 -- Logins over the last 3 days: 4. Last login: 13:14:08 PST Feb 1 2018 from 10.19.1.107
13:14:19 -- Failed logins since the last login: 0.
13:14:19 -- Type help or '?' for a list of available commands.
13:14:21 -- EDGE-FTD-01# sh run access-gr
13:14:21 -- access-group inside-in in interface inside
13:14:21 -- access-group outside-in in interface outside
13:14:21 -- access-group dmz-in in interface dmz
13:14:21 -- EDGE-FTD-01# 
13:14:22 -- !!!!!DISCONN [2018/03/12 - EDGE-FTD-01 - DS-P51\Derek]

Considerations

Using Notepad++ I can use CTRL-F > Find All in Current Document to find events like !!!!!CONNECT, !!!!!DISCONN, <hostname>#, etc.

The %COMPUTERNAME% environment variable is used because my SecureCRT config folder is synced across my workstations/jumpboxes that all write to the same SessionLogs folder, which is also synced; this separates the log files based on the computer I was connecting from.

Tags: , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *