RSA Admin

Trying to setup email alerts for failed ssh logins

Discussion created by RSA Admin Employee on Jul 19, 2010
Latest reply on Jul 24, 2010 by RSA Admin



I am using Redhat Enterprise Linux 5.5 and forwarding all syslog messages to the Envision system. I want to alert whenever a SSH user fails to login.


The data I want to alert on :


This is generated from syslog :


Failed password for invalid user user from port 34463 ssh2


I have idenitfied the message to be :


<agent>[<data>]: Failed password { for illegal user | for invalid user | for } <username> { from ::ffff: | from } <faddr> port <fport> <protocol> <@ntype:22><@action:authentication failure><@:*SYSVAL($MSGID,$ID1)>  No threshold 


I have configured alerts to send me an email when this happens. I don't get an email nor do I get an alert in the alert history window. If I use event explorer I do see the event coming in with the correct message id.


what could be wrong. ?.