01-23-2015 06:29 PM - edited 01-23-2015 06:38 PM
Greetings: using BA 12.1 on linux. Discovered all my foundry/brocade devices. Configured network-devices authentication with radius and snmpv3. It all works fine. Configs are backed-up by BA and I can "push" cli commands and more. I get routine syslog alerts so I know email is working too (I simply enabled email of emergency syslog messages).
Problem: I want to create a simple alert for "root access" to any of the devices (routers/switches). As I am using Radius with A/D, there is no need to use root. As much as I have tried, I cannot get BA to "fire" alert for root login. What I have done is:
Create event-action using custom event and "Description Contains" rejected (or SSH login root - or anything that appears in the console log entry for the root login attempt. It just doesn't work.
Documentation is not all that bad but not all that great either and I am used to google for answers with Cisco/Juniper/etc. Can't find anything.
Any advice from anyone would be greatly appreciated
02-08-2015 01:27 PM - edited 02-08-2015 01:29 PM
I actually figured out a way using the results of the syslog entries that are passed to BA from the device when user authorization fails (be it root or someone trying to run a dictionary attack with various combinations of users/passwords). I simply added a search condition that looks for "rejected" which is in the syslog message. When found I set-up to send an email.
Regarding "traps" I still cannot figure out why I am not getting them