Skip to content

#sh|no.sh

SecureCRT: Session Logging

Derek
Impostor Syndrome Extraordinaire & Sufferer of Verbosity

Metadata
- 2018/03/12
- in ssh, log, securecrt
- 2 min read

SecureCRT: Session Logging

Session logging can prove extremely useful when recollecting events during troubleshooting scenarios or even configuration-binges. SecureCRT's logging settings allow the use of variables to define the filename/path. I've configured my default session to log every session whether I'm troubleshooting or just poking around.

For troubleshooting, I also like maintain a Notepad++ file or quick handwritten notes with timestamps for significant events, so I can cross-reference them with my timestamped SecureCRT logs.

Custom Windows Enviornment Variable

I have configured a custom windows environment variable that points %SessionLogs% to the directory of my choosing. This permits me to sync my sessions folder across multiple computers and VMs without having to worry about maintaining a similar directory structure on all of them.

Default Session Log File Settings

SecureCRT: Options > Edit Default Session... > Terminal > Log File

Option	Setting
Log file name	`%SessionLogs%\%Y.%M%D\%Y.%M%D-%S_%COMPUTERNAME%.%USERNAME%.log`
Options→Start log upon connect
Options→Append to file
Options→Start new log at midnight
Custom log data→Upon connect	`!!!!!CONNECT [%Y/%M/%D - %S - %COMPUTERNAME%\%USERNAME%]`
Custom log data→Upon disconnect	`!!!!!DISCONN [%Y/%M/%D - %S - %COMPUTERNAME%\%USERNAME%]`
Custom log data→On each line	`%h:%m:%s --`

Resultant Data

C:\Users\Derek\_omitted_\Misc\SecureCRT\SessionLogs\2018.0312\2018.0312-EDGE-FTD-01_DS-P51.Derek.log

13:14:19 -- !!!!!CONNECT [2018/03/12 - EDGE-FTD-01 - DS-P51\Derek]
13:14:19 -- User derek logged in to EDGE-FTD-01
13:14:19 -- Logins over the last 3 days: 4. Last login: 13:14:08 PST Feb 1 2018 from 10.19.1.107
13:14:19 -- Failed logins since the last login: 0.
13:14:19 -- Type help or '?' for a list of available commands.
13:14:21 -- EDGE-FTD-01# sh run access-gr
13:14:21 -- access-group inside-in in interface inside
13:14:21 -- access-group outside-in in interface outside
13:14:21 -- access-group dmz-in in interface dmz
13:14:21 -- EDGE-FTD-01#
13:14:22 -- !!!!!DISCONN [2018/03/12 - EDGE-FTD-01 - DS-P51\Derek]

Considerations

Using Notepad++ I can use Ctrl+F and select Find All in Current Document to find events like !!!!!CONNECT, !!!!!DISCONN, <hostname>#, etc.
The %COMPUTERNAME% environment variable is used because my SecureCRT config folder is synced across my workstations/jumpboxes that all write to the same SessionLogs folder, which is also synced; this separates the log files based on the computer I was connecting from.

Comments