Reguła alertu o niepowodzeniu usługi SSH

Microsoft.HPUX.11iv3.LogFile.Syslog.SSHAuth.PAM.Root.Failure.Alert (Rule)

Reguła alertu dotycząca wiadomości o niepowodzeniu usługi SSH jako katalogu głównego.

Knowledge Base article:

Element properties:

Member Modules:

Source Code:

<Rule ID="Microsoft.HPUX.11iv3.LogFile.Syslog.SSHAuth.PAM.Root.Failure.Alert" Target="Microsoft.HPUX.11iv3.Computer" Enabled="true" Remotable="true">

  <Category>EventCollection</Category>

  <DataSources>

    <!-- [TYPE] HP SSH False -->

    <!-- [INPUT] Nov  9 14:37:21 scxhpi1 sshd[19330]: error: PAM: Authentication failed for root from scxhpr2 -->

    <!-- [INPUT] Nov  9 13:47:22 3E:scxhpr2 sshd[2866]: error: PAM: Authentication failed for root from scxhpr3.scx.com -->

    <!-- [INPUT-MISS] Nov  9 14:46:36 scxhpi1 sshd[19671]: error: PAM: Authentication failed for illegal user jonas from scxhpr2 -->

    <!-- [INPUT-MISS] Nov  9 13:56:41 3E:scxhpr2 sshd[3029]: error: PAM: Authentication failed for illegal user jonas from scxhpr3.scx.com -->

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Datasource">

      <Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>

      <LogFile>/var/adm/syslog/syslog.log</LogFile>

      <RegExpFilter>[[:space:]]sshd\[[[:digit:]]+\]: error: PAM: Authentication failed for root from [^[:space:]]+</RegExpFilter>

      <IndividualAlerts>false</IndividualAlerts>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.HPUX.11iv3.LogFile.Syslog.SSHAuth.PAM.Root.Failure.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>