login on-failure log
Enables logging of failed login attempts to the syslog server for security monitoring and auditing.
login on-failure logWhen to Use This Command
- Monitor unauthorized access attempts on a production router
- Comply with security policies requiring logging of authentication failures
- Troubleshoot user login issues by reviewing failure logs
- Detect brute-force attacks against the device
Command Examples
Enable login failure logging
login on-failure logRouter(config)# login on-failure log Router(config)#
No output is generated; the command is entered in global configuration mode. Use 'show logging' to view logged failures.
Verify configuration
show running-config | include login on-failurelogin on-failure log
The output confirms that the command is present in the running configuration.
Understanding the Output
The command itself produces no direct output. Instead, failed login attempts generate syslog messages. Use 'show logging' to view these messages. Each failed login generates a log entry like: %SEC_LOGIN-4-LOGIN_FAILED: User failed to log in from 192.168.1.100. The message includes the source IP address, username (if provided), and timestamp. A high frequency of such messages indicates a brute-force attack. Good practice is to monitor these logs and set up alerts for multiple failures from the same IP.
CCNA Exam Tips
CCNA exam may ask which command enables logging of failed login attempts; answer is 'login on-failure log'
Remember that this command is configured in global configuration mode, not line configuration mode
The exam might test that this command generates syslog messages which can be viewed with 'show logging'
Know that 'login on-failure log' is separate from 'login block-for' which is used for blocking after failures
Common Mistakes
Confusing 'login on-failure log' with 'login block-for' — the former only logs, the latter blocks
Forgetting to enable logging globally with 'logging on' for the messages to appear
Applying the command under line configuration (e.g., line vty) instead of global config
Related Commands
login block-for [secs] attempts [n] within [secs]
Configures the router to block login attempts from a source IP address after a specified number of failed attempts within a given time window, used to prevent brute-force attacks on VTY lines.
login delay [secs]
Configures a delay in seconds before the next login attempt after a failed login, used to slow down brute-force attacks on the console or VTY lines.
show logging
Displays the state of system logging (syslog) on the device, including buffer contents, logging configuration, and statistics, used for troubleshooting and monitoring system events.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions