Solved: Re: Login Attempt Source Address? - Page 2

fyrefighter77 · ‎01-06-2010

Hi all,

Am I missing something really simple? Is there a way to see the source of a failed login attempt in the authentication logs on an IronPort C150?

For instance: Wed Jan 6 10:57:39 2010 Info: User XXX failed authentication.

pvdberg00 · ‎01-29-2010

I think nothing is logged in the cli or gui logs. If there is please let us know via this.

Peter.

fsarwary · ‎01-29-2010

CLI example:

Fri Jan 29 09:28:27 2010 Info: PID 93074: User admin login from 192.168.3.56 on 10.92.152.77

GUI example:

Fri Jan 29 15:30:19 2010 Info: req:192.168.3.56 user:- id:eKV0321MgmA92WAlrkJb 200 GET /login HTTP/1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

pvdberg00 · ‎01-30-2010

Are there also entries about failed logons?

Peter.

mychrislo · ‎02-07-2010

You may want to look at external authentication. although this would be involving other aspect.

But most radius and ldap server will log failed attempts when configured properly.

And yes, Ironport should also provide this, even without external authentication.

fsarwary · ‎02-08-2010

Yes it will also log failed attempts.

jamesnoad · ‎02-10-2010

Successful logins and their source IP are recorded in the cli_logs and gui_logs

Successful and unsuccessful logins are recorded in the authentication log. However the source IP os not recorded.

The source IP of unsuccessful logins is recorded in one of the private log files. There is probably a bug/FR for this to be visible appear in authentication logs. Raise a ticket with Customer Support and nudge your SE.