This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does anyone have a list of possible authentication failures UTM can generate?

Hi.

I am trying to use Humio to collect logs from my Sophos UTM 9 firewall. This works well except I have a wrinkle when looking at authentication failures. I can easily see authentication failures, as they are logged, however the reason for the failure (bad password, unknown user, OTP verification failed etc) is actually recorded in a separate log entry.

I am trying to write a Humio query to search through the logs and, when it displays an authentication error, to then go and get the actual failure reason so that I can display both together rather than having to manually look for it.

The easiest way for me to do this is to simply look for a message with an authentication failure reason which happened within 5 seconds of the original error. To do this I need a list of all possible failure reasons. does anyone have such a list? I did look in Google but couldn't find anything.

Thanks in advance.

Daniel.

This thread was automatically locked due to age.

Parents

0 DouglasFoster over 6 years ago

There really are not many ways to do a login incorrectly: wrong username/password or wrong OTP.

I have parsed the log files, and concluded that the rows with id="3004 name="Authentication successful" or id="3005" name="Authentication failed" are all that matter. They gives you the IP, username, and timestamp. For successes, it gives you the type of authentication service that issued the approval.
Cancel
Vote Up 0 Vote Down

Cancel
0 Daniel James1 over 6 years ago in reply to DouglasFoster

Hi.

Thank you, I'll take another look.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Daniel James1 over 6 years ago in reply to DouglasFoster

Hi.

Thank you, I'll take another look.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 DouglasFoster over 6 years ago in reply to Daniel James1
My actual logic works like this:

Every line has a standard header, so I separate the header section from the message body.

If the message body does not begin with "id=", then I append the message body to the previous line.

I parse all expected keyword="value" tokens into database fields where fieldname=keyword and field contents = value.

Any unparsed text is thrown into a database field labelled "Comments".

With this arrangement, I am able to pick up the occurrences of "[WARN-070] Too many failed logins", which appear on a continuation line.

But...

you wanted to pick up the id="3006" name="OTP verification did not succeed, failing authentication." entries, and they don't fit my model. They contain an "id=" clause, so they get their own database record. Also, they come before the 3005 entry which contains the username.

Solution:

Give each row in the file a sequential number, then you can match using sequence numbers.

First, find the OTP errors based on text match.

Then the immediately preceding sequence number should be the "3006-Trying" message. This identifies the server.

Then the immediately following sequence number should be the id="3005" entry (to get the username and source IP).

Even in the context with multiple servers, I think the 3005 entry will always be the next sequence number, because after an explicit fail, it does not try any additional servers.
Cancel
Vote Up 0 Vote Down

Cancel