SSH Authentication Failure alert rule

Microsoft.Linux.SLES.12.LogFile.Syslog.SSHAuth.PAM.Root.Failure.Alert (Rule)

Alert rule for detection of SSH Authentication failures.

Knowledge Base article:


An SSH authentication failure for the root account has been detected in the system log files.


A failure may be caused by a mistyped password or an attempt to use an invalid username. However, a persistent failure could be an indication that someone is attempting to gain unauthorized access.


The description of the alert and/or the output data item contains information on the problem encountered. If a failure occurs, check the associated event details and any other events that happened around the time of this failure to diagnose the problem.

Element properties:

Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Message
SSH Authentication Failure detected

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Unix.SCXLog.Privileged.Datasource Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Linux.SLES.12.LogFile.Syslog.SSHAuth.PAM.Root.Failure.Alert" Target="Microsoft.Linux.SLES.12.Computer" Enabled="true" Remotable="true">
<!-- [TYPE] SUSE SSH False -->
<!-- [INPUT] 2014-11-05T18:04:46.417291-05:00 linux-sb1s sshd[14503]: error: PAM: Authentication failure for root from -->
<!-- [INPUT] Oct 7 17:17:09 sles11-cjc sshd[28526]: error: PAM: Authentication failure for illegal user root from -->
<!-- [INPUT-MISS] Oct 8 09:50:11 sles11-cjc sshd[22952]: error: PAM: Authentication failure for illegal user newguy from localhost -->
<DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">
<RegExpFilter>\s+sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for (illegal user )?root from \S+</RegExpFilter>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">