Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10260
Views
15
Helpful
6
Replies

RTMT Alert SeverityMatch : Critical pam_succeed_if(sshd:auth): error retrieving information about user mlm AppID : Cisco Syslog Agent ClusterID :

Ronit Malhotra
Level 1
Level 1

‎01-02-2014 06:54 AM - edited ‎03-16-2019 09:04 PM

SeverityMatch : Critical

MatchedEvent : Jan  2 07:22:47 CUC02 authpriv 2 sshd[29949]: pam_succeed_if(sshd:auth): error retrieving information about user mlm AppID : Cisco Syslog Agent ClusterID : 

NodeID : CUC02

TimeStamp : Thu Jan 02 07:22:48 CST 2014.

I am recieving following alerts, anyway to stop it, or any impact

2 people had this problem
Labels:
0 Helpful
6 Replies 6

Leo Salcie Tejeda
Level 7
Level 7

‎01-02-2014 07:37 AM

Hi,

The error is received if you log into DRS site, OS admin site or console via SSH using a wrong password.

Regards

Please remember to rate useful posts clicking on the stars below.
Favor calificar todos las respuestas Ăștiles dando click en las estrellas de mas abajo.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie

joshuarg1
Level 1
Level 1
In response to Leo Salcie Tejeda

‎07-30-2015 12:03 PM

HI; I am find information whit respect to this error, canÂŽt you helpme to referent this mensage

 

SyslogSeverityMatchFound events generated:  
SeverityMatch : Alert
MatchedEvent : Jul 29 15:21:50 cucm-pub-tri-qro-bansefi-0001 authpriv 1
sshd[1651]: pam_unix(sshd:auth): check pass; user unknown AppID : Cisco
Syslog Agent ClusterID :  
NodeID : cucm-pub-tri-qro-bansefi-0001

 

thanks

0 Helpful

dianareyes
Level 1
Level 1
In response to Leo Salcie Tejeda

‎08-05-2015 10:29 AM

Greetings,

If the error is received when logging into DRS site - OS admin site or console via SSH using a wrong password, wouldn't you also receive the Authentication Failed syslog?  Unless these are reporting two separate log in errors from different sources.  I'm a bit confused.

 

SeverityMatch : Critical

MatchedEvent : Jan  2 07:22:47 CUC02 authpriv 2 sshd[29949]: pam_succeed_if(sshd:auth): error retrieving information about user mlm AppID : Cisco Syslog Agent ClusterID : 

 

SeverityMatch : Critical

Number of AuthenticationFailed events exceeds configured threshold during configured interval of time 1 within 3 minutes
 on cluster StandAloneCluster.

There are 2 AuthenticationFailed events (up to 30) received during the monitoring interval

 

Any insight is greatly appreciated!  

Thanks in advance,

D

 

0 Helpful

Nadeem Ahmed
Cisco Employee
Cisco Employee

‎01-02-2014 07:49 AM

this alert is for security. pam_succeed_if is designed for suceed or failed authentication and this  alert is a warning that a user tried to login to SSH with invalid credential.

Do you get this alert everyday or two? how frequent you are getting this ? 


Br,
Nadeem 

Please rate all useful post.

Br, Nadeem Please rate all useful post.

David Perez
Level 1
Level 1

‎01-02-2014 09:11 AM

You might want to check with others in I.T. to see if there are any programs on the network that attempt to sign into your systems for security purposes.

I get this alert every other day. It is done by our network / security team’s software. The software attempts to login to the systems using common passwords.

0 Helpful

dsengelhardt
Level 1
Level 1
In response to David Perez

‎10-17-2017 02:36 PM

Is there any way to track the ip address that these attempts were made from or only the user ID that was attempted?

Customers Also Viewed These Support Documents