Creating alert for root login

flahammerhead · ‎01-23-2015

Greetings: using BA 12.1 on linux. Discovered all my foundry/brocade devices. Configured network-devices authentication with radius and snmpv3. It all works fine. Configs are backed-up by BA and I can "push" cli commands and more. I get routine syslog alerts so I know email is working too (I simply enabled email of emergency syslog messages).

Problem: I want to create a simple alert for "root access" to any of the devices (routers/switches). As I am using Radius with A/D, there is no need to use root. As much as I have tried, I cannot get BA to "fire" alert for root login. What I have done is:

Create event-action using custom event and "Description Contains" rejected (or SSH login root - or anything that appears in the console log entry for the root login attempt. It just doesn't work.

Documentation is not all that bad but not all that great either and I am used to google for answers with Cisco/Juniper/etc. Can't find anything.

Any advice from anyone would be greatly appreciated

flahammerhead · ‎01-23-2015

I actually figured out a way using the results of the syslog entries that are passed to BA from the device when user authorization fails (be it root or someone trying to run a dictionary attack with various combinations of users/passwords). I simply added a search condition that looks for "rejected" which is in the syslog message. When found I set-up to send an email.

Regarding "traps" I still cannot figure out why I am not getting them

Products

Solutions

Education & Certification

Tools

Technology

Technology

Industry

Global Services

International

Office of the CTO

Corporate

Partners

Management Software

Creating alert for root login

Re: Creating alert for root login

Join the Community