Good morning, I am setting up alerting for failed logins. I have done so for HP Nimble and Dell XtremIO. Dell Unity is giving me some problems.
I have Graylog and a very basic Windows Syslog server setup and receiving logs. On the Windows Server, I will see:
Time: Jan 3 12:50:37
IP:
Host:
Facility: user
Priority: warning
Tag: Mnsvc_unique[4312]
Message: “2021-01-03T12:50:37.279Z” “” “Mnsvc_unique” “4312” “unix/spa/root” “WARN” “1:7DB” :: “Authentication session Session_71617_1599756300 failed: Principal User hacker LocalDirectory/Local” :: Category=Authentication Component=MnsvcServer TimeZone=UTC
On the GrayLog server, I just… don’t…
I am finding some things on the GrayLog server. I am able to find successful logins for example:
facility
user-level
facility_num
1
level
6
message
Neo_CEM[4312]: “2021-01-03T08:25:00.802Z” “” “Neo_CEM” “4312” “srm” “INFO” “14:560001” :: “Authentication successful.Username: srm ClientIP: .” :: Category=Audit Component=CASAuthentication TimeZone=UTC
source
timestamp
2021-01-03T13:25:00.000Z
That message on the Windows Syslog looks like:
Time: Jan 3 12:49:57
IP:
Host:
Facility: user
Priority: info
Tag: Neo_CEM[4312]
Message: “2021-01-03T12:49:57.837Z” “” “Neo_CEM” “4312” “srm” “INFO” “14:560001” :: “Authentication successful.Username: srm ClientIP: .” :: Category=Audit Component=CASAuthentication TimeZone=UTC
This is Graylog v4.0.1+6a0cc0b
I’m not sure what to do. I see the successful event pop immediatly on Graylog and the Windows Syslog. I see the unsuccessful even pop on the Windows Syslog, but not Graylog.
I am using a search of All Messages, All time. Thank you, Z.