cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 5

Email / Alert on failed logins

Is there a feature to configure a rule to alert or send an email on a failed login.

I know it will show on the home screen when there is a failed log-in, but I would like something that can alert a little better. Syslog maybe too?

Thanks!

4 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Email / Alert on failed logins

Hi again Numark,

There is a best practice for that!

If you havent already be sure to check out the Master list of Best Practices:

Best,

Jon

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 5

Re: Email / Alert on failed logins

Here is what I have configured but it doesnt appear to be working. Is 1701 not the correct key?

Thanks Jon!

Also, is there a key inside the UI to look for that can also see the failed ssh/console auths?

1.png2.png

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Email / Alert on failed logins

Hi Numark,

The ruleset you imported is correct, I believe 1701 is right, however there is on adjustment I want to make to the best practice and then it would be perfect, I'll try to do that today.

As far as failed SSH logins, there isnt anything in the GUI, but you could log that over syslog in the rsyslogd.conf under Configuration > Appliances > File Editor.

Best,

Jon

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Re: Email / Alert on failed logins

Here is a revised ruleset. I'll work with the owner of the article to get it updated.

The revised ruleset allow you to pick the ID you want to monitor for AND allow you to fallback to the original description of the incident.

So in your example you have "1701 > 1000;bad login"

With the new ruleset you can just put "1701 > 1000;" this will have the MWG fill in the message instead of using a generic message that you came up with.

Make sense?


Best,

Jon

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community