For more details, please see ourCookie Policy.


Fibre Channel (SAN)

Reply
New Contributor
Posts: 2
Registered: ‎12-29-2017

Audit log: Why i get a successful and failed login with a local user?

Hello together,


I enabled the audit login for security and firmware to get monitoring notifies for failed logins. Now im totaly wondering about that I get 2 messages if I loged in with local user account:


Oct 10 08:52:06 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:20:19 (GMT), [SEC-3020], INFO, SECURITY, admin/admin/10.3.220.13/telnet/CLI, ad_0/ras007/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 10.3.220.13.
Oct 10 09:00:04 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:28:16 (GMT), [SEC-3021], INFO, SECURITY, admin/NONE/10.3.220.13/None/CLI, None/ras007/FID 128, , Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP Addr: 10.3.220.13.


I don't get 2 messages if I loged in with a LDAP user. Can everybody explain me what's happend?


Many thanks and regards

Christian

Broadcom Moderator
Posts: 415
Registered: ‎08-31-2009

Re: Audit log: Why i get a successful and failed login with a local user?

Hello,

 

Are you talking about the 2 messages mentioned?:

 

[SEC-3020] on Oct 10 08:52:06 and [SEC-3021] on Oct 10 09:00:04

 

It is looking like that those messages have no relationships because it has been created respectively at around 8 minutes difference. One successful login and the other one is a failure.

 

  

 

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 2
Registered: ‎12-29-2017

Re: Audit log: Why i get a successful and failed login with a local user?

Hello,

 

the entries was a example from the brocade documentation:

http://www.brocade.com/content/html/en/administration-guide/fos-740-admin/GUID-5D0EB7B7-74E1-4A0D-89BF-7F88B6ACFA92.html

 

I test it by my self via ssh.

 

6 AUDIT, 2017/12/28-03:20:36 (CET), [SEC-3021], INFO, SECURITY, admin/NONE/HOST-FQDN/None/CLI, None/Hostname/FID 128, , Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP Addr: 192.168.0.1

 

7 AUDIT, 2017/12/28-03:20:37 (CET), [SEC-3020], INFO, SECURITY, admin/admin/HOST-FQDN/ssh/CLI, ad_0/Hostname/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 192.168.0.1

 

The difference they I can see are:

admin/NONE/HOST-FQDN/None/CLI, None/Hostname/FID 128 

 

vs

 

admin/admin/HOST-FQDN/ssh/CLI, ad_0/Hostname/FID 128

 

I have this behavior (2 log messages for one login session) only If I loged in with a local switch user via ssh.

If I did the same with LDAP user I get only 1 successful message.

 

Thanks and regards

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.