cancel
Showing results for 
Search instead for 
Did you mean: 
numark
Level 7

Email / Alert on failed logins

Is there a feature to configure a rule to alert or send an email on a failed login.

I know it will show on the home screen when there is a failed log-in, but I would like something that can alert a little better. Syslog maybe too?

Thanks!

0 Kudos
4 Replies
McAfee Employee

Re: Email / Alert on failed logins

Hi again Numark,

There is a best practice for that!

If you havent already be sure to check out the Master list of Best Practices:

Best,

Jon

0 Kudos
numark
Level 7

Re: Email / Alert on failed logins

Here is what I have configured but it doesnt appear to be working. Is 1701 not the correct key?

Thanks Jon!

Also, is there a key inside the UI to look for that can also see the failed ssh/console auths?

1.png2.png

0 Kudos
McAfee Employee

Re: Email / Alert on failed logins

Hi Numark,

The ruleset you imported is correct, I believe 1701 is right, however there is on adjustment I want to make to the best practice and then it would be perfect, I'll try to do that today.

As far as failed SSH logins, there isnt anything in the GUI, but you could log that over syslog in the rsyslogd.conf under Configuration > Appliances > File Editor.

Best,

Jon

0 Kudos
McAfee Employee

Re: Re: Email / Alert on failed logins

Here is a revised ruleset. I'll work with the owner of the article to get it updated.

The revised ruleset allow you to pick the ID you want to monitor for AND allow you to fallback to the original description of the incident.

So in your example you have "1701 > 1000;bad login"

With the new ruleset you can just put "1701 > 1000;" this will have the MWG fill in the message instead of using a generic message that you came up with.

Make sense?


Best,

Jon

0 Kudos