How to setup automatic session log on SecureCRT

Saving your session log is a must feature in my opinion. Not only for compliance/security reasons (with some companies) but it can save you (trust me on that one) in case of a human error. You can always go back and verify what was typed.

Personally, I’m saving my logs locally which are also backed up automatically to the cloud for redundant copy. They helped me on numerous occasions to confirm integrity and will definitely help you.

In this quick tutorial (2 steps) I’ll show you where to go to enable local logging as well as the syntax to use to get proper naming convention. This should work for both Win and Mac users.

1. Open SecureCRT and go to Options > Edit Default Session

   

2. Under Category section locate Log File entry and select it

   

   1. Log file name – This is your repo where your logs will be stored as well as the name of the file.
      /Volumes/EHDD/Box Sync/SecureCRT_Logging/[%S][%H] – %M-%D-%Y-%hh%mm%ss.log
      1. Explanation:
         1. /Volumes/EHDD/Box Sync/SecureCRT_Logging/ – is your file directory. Create your own repository and point SecureCRT to it.
         2. /[%S][%H] – %M-%D-%Y-%hh%mm%ss.log – is the naming convention for the file:
            1. %S – Session name. If you have saved sessions with names it will pick that up for you.
            2. %H – Hostname. This is typically IP address of the host but could also be DNS name if you leverage that. In this case you don’t need %S.
            3. %M – Month of that session
            4. %D – Day of that session
            5. %Y – Year of that session
            6. %hh – Hour of that session
            7. %mm – Minutes of that session
            8. %ss – Seconds of that session
            9. %t – Milliseconds of that session
            10. .log – default file extension
      2. File output from above would look like that: [DEMO01-ASAv][10.100.16.52] – 05-17-2018-09h38m08s.log
         
   2. Options – Make sure you have selected Start log upon connect AND Append to file
   3. Custom Log Data – This is extra(optional) piece if you want to be more granular.
      1. Upon Connect – This will be embedded line of text prior log capture i.e: Session Recording Start for %S [%H] – %M-%D-%Y %hh%mm%ss
      2. Upon Disconnect – This will be embedded line of text at the end of the capture session i.e: Session Recording Stop for %S [%H] – %M-%D-%Y %hh%mm%ss
      3. On each line – This is an extra line of text for each line of recorded session. Very powerful if you want to know timestamp for each line of code i.e %h:%m:%s.%t
      4. Sample output from the log file:09:38:08.263 Session Recording Start for DEMO01-ASAv [10.100.16.52] – 05-17-2018 09h38m08s
         09:38:08.348 User x logged in to Demo01-ASAv
         09:38:08.348 Logins over the last 91 days: 2. Last login: 17:23:28 UTC Apr 10 2018 from 10.15.156.18
         09:38:08.351 Failed logins since the last login: 1. Last failed login: 14:35:08 UTC Apr 17 2018 from 10.15.156.18
         09:38:08.351 Type help or ‘?’ for a list of available commands.
         09:38:09.669 Demo01-ASAv> en
         09:38:10.957 Password: ********
         09:38:11.164 Demo01-ASAv#
         09:38:11.325 Demo01-ASAv#
         09:38:11.501 Demo01-ASAv#
         09:38:11.653 Demo01-ASAv#
         09:38:15.937 Demo01-ASAv# sh ver | in Version
         09:38:15.937 Cisco Adaptive Security Appliance Software Version 9.8(2)20
         09:38:15.942 Firepower Extensible Operating System Version 2.2(2.63)
         09:38:15.942 Device Manager Version 7.8(1)
         09:38:20.158 Demo01-ASAv# exit
         09:38:20.158
         09:38:20.162 Logoff
         09:38:20.163 Session Recording Stop for DEMO01-ASAv [10.100.16.52] – 05-17-2018 09h38m20s

That’s pretty much it. Let me know if it works for you or if you having any issues. I hope you can embrace that feature since it’s a powerful add-on that I believe everybody who is on CLI all day should be leveraging.

Regards,
Bart