cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
7269
Views
10
Helpful
6
Replies
Highlighted
Beginner

RTMT Alert SeverityMatch : Critical pam_succeed_if(sshd:auth): error retrieving information about user mlm AppID : Cisco Syslog Agent ClusterID :

SeverityMatch : Critical

MatchedEvent : Jan  2 07:22:47 CUC02 authpriv 2 sshd[29949]: pam_succeed_if(sshd:auth): error retrieving information about user mlm AppID : Cisco Syslog Agent ClusterID : 

NodeID : CUC02

TimeStamp : Thu Jan 02 07:22:48 CST 2014.

I am recieving following alerts, anyway to stop it, or any impact

6 REPLIES 6
Highlighted
Rising star

Hi,

The error is received if you log into DRS site, OS admin site or console via SSH using a wrong password.

Regards

Please remember to rate useful posts clicking on the stars below.
Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie
Highlighted

HI; I am find information whit respect to this error, can´t you helpme to referent this mensage

 

SyslogSeverityMatchFound events generated:  
SeverityMatch : Alert
MatchedEvent : Jul 29 15:21:50 cucm-pub-tri-qro-bansefi-0001 authpriv 1
sshd[1651]: pam_unix(sshd:auth): check pass; user unknown AppID : Cisco
Syslog Agent ClusterID :  
NodeID : cucm-pub-tri-qro-bansefi-0001

 

thanks

Highlighted

Greetings,

If the error is received when logging into DRS site - OS admin site or console via SSH using a wrong password, wouldn't you also receive the Authentication Failed syslog?  Unless these are reporting two separate log in errors from different sources.  I'm a bit confused.

 

SeverityMatch : Critical

MatchedEvent : Jan  2 07:22:47 CUC02 authpriv 2 sshd[29949]: pam_succeed_if(sshd:auth): error retrieving information about user mlm AppID : Cisco Syslog Agent ClusterID : 

 

SeverityMatch : Critical

Number of AuthenticationFailed events exceeds configured threshold during configured interval of time 1 within 3 minutes
 on cluster StandAloneCluster.

There are 2 AuthenticationFailed events (up to 30) received during the monitoring interval

 

Any insight is greatly appreciated!  

Thanks in advance,

D

 

Highlighted
Cisco Employee

this alert is for security. pam_succeed_if is designed for suceed or failed authentication and this  alert is a warning that a user tried to login to SSH with invalid credential.

Do you get this alert everyday or two? how frequent you are getting this ? 


Br,
Nadeem 

Please rate all useful post.

Br, Nadeem Please rate all useful post.
Highlighted
Beginner

You might want to check with others in I.T. to see if there are any programs on the network that attempt to sign into your systems for security purposes.

I get this alert every other day. It is done by our network / security team’s software. The software attempts to login to the systems using common passwords.

Highlighted

Is there any way to track the ip address that these attempts were made from or only the user ID that was attempted?

Content for Community-Ad