Home
  •  

Authentication delayed

Veritas.EnterpriseVault.12.Server.Authentication_delayed.Rule (Rule)

Knowledge Base article:

Resolutions

Check the Enterprise Vault event log for "Authentication request failed" (Event ID 4224) entries. These events indicate the authentication failures that caused the AuthServer process to enter the mode of operation in which it delays all authentication requests. The number and text of these event log entries may help to confirm that an attempt is being made to gain access to Enterprise Vault archived data. If an attempt is being made, consider stopping Enterprise Vault services until the source of the attack can be identified and resolved. If the assumed attack is proven to be false then restarting the Enterprise Vault Admin Service will reset the AuthServer delay mode.

External

Veritas Event Database

Element properties:

TargetVeritas.EnterpriseVault.12.Server
CategoryEventCollection
EnabledTrue
Alert GenerateFalse
RemotableTrue

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Veritas.EnterpriseVault.12.EventProvider.DataSourceModuleType Veritas.EnterpriseVault.MonitoringProfile
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Veritas.EnterpriseVault.MonitoringProfile
WriteToDW WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Veritas.EnterpriseVault.MonitoringProfile

Source Code:

<Rule ID="Veritas.EnterpriseVault.12.Server.Authentication_delayed.Rule" Target="Veritas.EnterpriseVault.12.Server" Enabled="true" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Veritas.EnterpriseVault.12.EventProvider.DataSourceModuleType" RunAs="EV!Veritas.EnterpriseVault.MonitoringProfile">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <EventNumber>4223</EventNumber>

      <LogName>Application</LogName>

      <EventSourceName>Enterprise Vault</EventSourceName>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent" RunAs="EV!Veritas.EnterpriseVault.MonitoringProfile"/>

    <WriteAction ID="WriteToDW" TypeID="MSDL!Microsoft.SystemCenter.DataWarehouse.PublishEventData" RunAs="EV!Veritas.EnterpriseVault.MonitoringProfile"/>

  </WriteActions>

</Rule>