SSH Authentication Failure alert rule Rule

Overridable Parameters

Parameter Name Default Value Description Override
Host $Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$ Host where log file resides.
LogFile /var/log/secure Path to log file.
RegExpFilter .*sshd.*Failed.*password.*for.*root Regular expression to use for filtering log file records.
IndividualAlerts false The default behavior of this data source module is to search the UNIX/Linux log file for lines matching a rule, and present all matches as a single alert. If the ‘Individual Alert’ property is set to ‘true’, then the module will generate an individual alert for each line in the log file that matches the rule.
Priority 1  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
SSH Authentication Failure detected Medium Critical

Rule Knowledgebase

Summary

A SSH Authentication failure for the root account has been detected in the system log files.

Causes

A failure may be caused by a mistyped password or an attempt to use an invalid username. However, a persistent failure could be an indication that someone is attempting to gain unauthorized access.

Resolutions

The description of the alert and/or the output data item contains information on the problem encountered. If a failure occurs, please check the associated event details and any other events that happened around the time of this failure to diagnose the problem.

External References
This rule does not contain any external references.

See Also for System Center Operations Manager 2007 R2 Cross Platform - RHEL Management Pack


Downloads for System Center Operations Manager 2007 R2 Cross Platform - RHEL Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED