RSA Admin

Trying to setup email alerts for failed ssh logins

Discussion created by RSA Admin Employee on Jul 19, 2010
Latest reply on Jul 24, 2010 by RSA Admin

Hi,

 

I am using Redhat Enterprise Linux 5.5 and forwarding all syslog messages to the Envision system. I want to alert whenever a SSH user fails to login.

 

The data I want to alert on :

 

This is generated from syslog :

 

Failed password for invalid user user from 127.0.0.1 port 34463 ssh2

 

I have idenitfied the message to be :

 

 00020:03
<agent>[<data>]: Failed password { for illegal user | for invalid user | for } <username> { from ::ffff: | from } <faddr> port <fport> <protocol> <@ntype:22><@action:authentication failure><@:*SYSVAL($MSGID,$ID1)>  No threshold 

 

I have configured alerts to send me an email when this happens. I don't get an email nor do I get an alert in the alert history window. If I use event explorer I do see the event coming in with the correct message id.

 

what could be wrong. ?.

 

Outcomes