RTMT Alert SeverityMatch : Critical pam_succeed_if(sshd:auth): e

Ronit Malhotra · ‎01-02-2014

SeverityMatch : Critical

MatchedEvent : Jan 2 07:22:47 CUC02 authpriv 2 sshd[29949]: pam_succeed_if(sshd:auth): error retrieving information about user mlm AppID : Cisco Syslog Agent ClusterID :

NodeID : CUC02

TimeStamp : Thu Jan 02 07:22:48 CST 2014.

I am recieving following alerts, anyway to stop it, or any impact

Leo Salcie Tejeda · ‎01-02-2014

Hi,

The error is received if you log into DRS site, OS admin site or console via SSH using a wrong password.

Regards

Please remember to rate useful posts clicking on the stars below.
Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie

joshuarg1 · ‎07-30-2015

HI; I am find information whit respect to this error, can´t you helpme to referent this mensage

SyslogSeverityMatchFound events generated:
SeverityMatch : Alert
MatchedEvent : Jul 29 15:21:50 cucm-pub-tri-qro-bansefi-0001 authpriv 1
sshd[1651]: pam_unix(sshd:auth): check pass; user unknown AppID : Cisco
Syslog Agent ClusterID :
NodeID : cucm-pub-tri-qro-bansefi-0001

thanks

dianareyes · ‎08-05-2015

Greetings,

If the error is received when logging into DRS site - OS admin site or console via SSH using a wrong password, wouldn't you also receive the Authentication Failed syslog? Unless these are reporting two separate log in errors from different sources. I'm a bit confused.

SeverityMatch : Critical

MatchedEvent : Jan 2 07:22:47 CUC02 authpriv 2 sshd[29949]: pam_succeed_if(sshd:auth): error retrieving information about user mlm AppID : Cisco Syslog Agent ClusterID :

SeverityMatch : Critical

Number of AuthenticationFailed events exceeds configured threshold during configured interval of time 1 within 3 minutes
on cluster StandAloneCluster.

There are 2 AuthenticationFailed events (up to 30) received during the monitoring interval

Any insight is greatly appreciated!

Thanks in advance,

D

Nadeem Ahmed · ‎01-02-2014

this alert is for security. pam_succeed_if is designed for suceed or failed authentication and this alert is a warning that a user tried to login to SSH with invalid credential.

Do you get this alert everyday or two? how frequent you are getting this ?

Br,
Nadeem

Please rate all useful post.

Br, Nadeem Please rate all useful post.

David Perez · ‎01-02-2014

You might want to check with others in I.T. to see if there are any programs on the network that attempt to sign into your systems for security purposes.

I get this alert every other day. It is done by our network / security team’s software. The software attempts to login to the systems using common passwords.

dsengelhardt · ‎10-17-2017

Is there any way to track the ip address that these attempts were made from or only the user ID that was attempted?

RTMT Alert SeverityMatch : Critical pam_succeed_if(sshd:auth): error retrieving information about user mlm AppID : Cisco Syslog Agent ClusterID :