cancel
Showing results for 
Search instead for 
Did you mean: 
numark
Level 7
Report Inappropriate Content
Message 1 of 5

Email / Alert on failed logins

Is there a feature to configure a rule to alert or send an email on a failed login.

I know it will show on the home screen when there is a failed log-in, but I would like something that can alert a little better. Syslog maybe too?

Thanks!

4 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Email / Alert on failed logins

Hi again Numark,

There is a best practice for that!

If you havent already be sure to check out the Master list of Best Practices:

Best,

Jon

numark
Level 7
Report Inappropriate Content
Message 3 of 5

Re: Email / Alert on failed logins

Here is what I have configured but it doesnt appear to be working. Is 1701 not the correct key?

Thanks Jon!

Also, is there a key inside the UI to look for that can also see the failed ssh/console auths?

1.png2.png

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Email / Alert on failed logins

Hi Numark,

The ruleset you imported is correct, I believe 1701 is right, however there is on adjustment I want to make to the best practice and then it would be perfect, I'll try to do that today.

As far as failed SSH logins, there isnt anything in the GUI, but you could log that over syslog in the rsyslogd.conf under Configuration > Appliances > File Editor.

Best,

Jon

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Re: Email / Alert on failed logins

Here is a revised ruleset. I'll work with the owner of the article to get it updated.

The revised ruleset allow you to pick the ID you want to monitor for AND allow you to fallback to the original description of the incident.

So in your example you have "1701 > 1000;bad login"

With the new ruleset you can just put "1701 > 1000;" this will have the MWG fill in the message instead of using a generic message that you came up with.

Make sense?


Best,

Jon

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community