SecureCRT – Session Logging
Session logging can prove extremely useful when recollecting events during troubleshooting scenarios or even configuration-binges.
SecureCRT’s logging settings allow the use of variables to define the filename/path. I’ve configured my default session to log every session whether I’m troubleshooting or just poking around.
I also have a custom windows environment variable that points %SessionLogs% to the directory of my choosing. This permits me to sync my sessions folder across multiple computers and VMs without having to worry about maintaining a similar directory structure on all of them.
Tip: For troubleshooting, I also like maintain a NP++ or quick handwritten notes with timestamps for significant events, so I can cross-reference them with my timestamped SecureCRT logs.
Default Session Log File Settings
SecureCRT: Options > Edit Default Session… > Terminal > Log File
Log file name:
- Start log upon connect
- Append to file
- Start new log at midnight
Custom log data > Upon connect:
[code]!!!!!CONNECT [%Y/%M/%D – %S – %COMPUTERNAME%\%USERNAME%][/code]
Custom log data > Upon disconnect:
[code]!!!!!DISCONN [%Y/%M/%D – %S – %COMPUTERNAME%\%USERNAME%][/code]
Custom log data > On each line:
[code]%h:%m:%s — [/code]
File Name: C:\Users\Derek\<omitted>\Misc\SecureCRT\SessionLogs\2018.0312\2018.0312-EDGE-FTD-01_DS-P51.Derek.log
[code]13:14:19 — !!!!!CONNECT [2018/03/12 – EDGE-FTD-01 – DS-P51\Derek]
13:14:19 — User derek logged in to EDGE-FTD-01
13:14:19 — Logins over the last 3 days: 4. Last login: 13:14:08 PST Feb 1 2018 from 10.19.1.107
13:14:19 — Failed logins since the last login: 0.
13:14:19 — Type help or ‘?’ for a list of available commands.
13:14:21 — EDGE-FTD-01# sh run access-gr
13:14:21 — access-group inside-in in interface inside
13:14:21 — access-group outside-in in interface outside
13:14:21 — access-group dmz-in in interface dmz
13:14:21 — EDGE-FTD-01#
13:14:22 — !!!!!DISCONN [2018/03/12 – EDGE-FTD-01 – DS-P51\Derek][/code]
Using Notepad++ I can use CTRL-F > Find All in Current Document to find events like !!!!!CONNECT, !!!!!DISCONN, <hostname>#, etc.
The %COMPUTERNAME% environment variable is used because my SecureCRT config folder is synced across my workstations/jumpboxes that all write to the same SessionLogs folder, which is also synced; this separates the log files based on the computer I was connecting from.