For Linux Servers
Setting to be done on the Linux side
Edit the linux /etc/syslog.conf file and add the following line
authpriv.* @zenossserver ip or hostname
Restart the syslog daemon.
On the zenoss side make sure these things
1. The machine IP and Hostname should be correct so syslog logs are correctly inserted to the correct device.
2. You can define SSHD event component to be as critical so the current alert system will work OR.
3. You can create a new alert only for sshd reporting , See the below screenshot
This alert generates below alerts , we can also try only to send
On Authentication Success
a. session opened for user
b. Accepted password for root from
On Authentication Failure
a. Failed password for illegal user
b. Illegal user
On Session Logout
Session closed for
For Windows Servers
All the servers where Wmi monitoring is enabled we just need to increase the zWinEventlogMinSeverity to 5 Which is by default 2.
Alerts Creation
For Successful Logins:
eventClassKey -- Security_552
For Failed Logins
eventClassKey -- Security_680
More details for security code can be found here from technet.http://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx
Result looks like this
Device:
Component: Security
Severity: Info
Time: 2014/03/21 00:05:11.000
Message:
Logon attempt using explicit credentials:
Logged on user:
User Name:
Domain: WORKGROUP or DOMAINNAME
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name:
Target Domain: System Name
Target Logon GUID: -
Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 5060
Source Network Address:
Source Port: 2211
No comments:
Post a Comment