Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 3635 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does anyone have a list of possible authentication failures UTM can generate?

Daniel James1

Hi.

 

I am trying to use Humio to collect logs from my Sophos UTM 9 firewall.  This works well except I have a wrinkle when looking at authentication failures.  I can easily see authentication failures, as they are logged, however the reason for the failure (bad password, unknown user, OTP verification failed etc) is actually recorded in a separate log entry.

 

I am trying to write a Humio query to search through the logs and, when it displays an authentication error, to then go and get the actual failure reason so that I can display both together rather than having to manually look for it.

 

The easiest way for me to do this is to simply look for a message with an authentication failure reason which happened within 5 seconds of the original error.  To do this I need a list of all possible failure reasons. does anyone have such a list?  I did look in Google but couldn't find anything.

 

Thanks in advance.

 

Daniel.



This thread was automatically locked due to age.
Parents
  • 0

    There really are not many ways to do a login incorrectly:  wrong username/password or wrong OTP.

    I have parsed the log files, and concluded that the rows with id="3004 name="Authentication successful" or id="3005" name="Authentication failed" are all that matter.  They gives you the IP, username, and timestamp.   For successes, it gives you the type of authentication service that issued the approval.

Reply
  • 0

    There really are not many ways to do a login incorrectly:  wrong username/password or wrong OTP.

    I have parsed the log files, and concluded that the rows with id="3004 name="Authentication successful" or id="3005" name="Authentication failed" are all that matter.  They gives you the IP, username, and timestamp.   For successes, it gives you the type of authentication service that issued the approval.

Children
  • 0 in reply to DouglasFoster

    Hi.

     

    Thank you, I'll take another look.

  • 0 in reply to Daniel James1

    My actual logic works like this:

    • Every line has a standard header, so I separate the header section from the message body.
    • If the message body does not begin with "id=", then I append the message body to the previous line.
    • I parse all expected keyword="value" tokens into database fields where fieldname=keyword and field contents = value.
    • Any unparsed text is thrown into a database field labelled "Comments".

    With this arrangement, I am able to pick up the occurrences of "[WARN-070] Too many failed logins", which appear on a continuation line.

    But...

    you wanted to pick up the id="3006" name="OTP verification did not succeed, failing authentication." entries, and they don't fit my model.  They contain an "id=" clause, so they get their own database record.  Also, they come before the 3005 entry which contains the username.

    Solution: 

    Give each row in the file a sequential number, then you can match using sequence numbers.

    • First, find the OTP errors based on text match. 
    • Then the immediately preceding sequence number should be the "3006-Trying" message.  This identifies the server. 
    • Then the immediately following sequence number should be the id="3005" entry (to get the username and source IP). 

    Even in the context with multiple servers, I think the 3005 entry will always be the next sequence number, because after an explicit fail, it does not try any additional servers.

Unfiltered HTML