https://community.sophos.com/utm-firewall/f/general-discussion/105576/does-anyone-have-a-list-of-possible-authentication-failures-utm-can-generateHi. I am trying to use Humio to collect logs from my Sophos UTM 9 firewall. This works well except I have a wrinkle when looking at authentication failures. I can easily see authentication failures, as they are logged, however the reason for the failureen-USTelligent Community 12https://community.sophos.com/thread/385271?ContentTypeID=1Wed, 03 Oct 2018 15:26:12 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:9f079c1b-04e1-4ecf-839e-b5ed5c222106DouglasFoster<p>My actual logic works like this:</p> <ul> <li>Every line has a standard header, so I separate the header section from the message body.</li> <li>If the message body does not begin with &quot;id=&quot;, then I append the message body to the previous line.</li> <li>I parse all expected keyword=&quot;value&quot; tokens into database fields where fieldname=keyword and field contents = value.</li> <li>Any unparsed text is thrown into a database field labelled &quot;Comments&quot;.</li> </ul> <p>With this arrangement, I am able to pick up the occurrences of &quot;[WARN-070] Too many failed logins&quot;, which appear on a continuation line.</p> <p>But...</p> <p>you wanted to pick up the id=&quot;3006&quot;&nbsp;name=&quot;OTP verification did not succeed, failing authentication.&quot; entries, and they don&#39;t fit my model.&nbsp; They contain an &quot;id=&quot; clause, so they get their own database record.&nbsp; Also, they come before the 3005 entry which contains the username.</p> <p>Solution:&nbsp;</p> <p>Give each row in the file a sequential number, then you can match using sequence numbers.</p> <ul> <li>First, find the OTP errors based on text match.&nbsp;</li> <li>Then the immediately preceding sequence number should be the &quot;3006-Trying&quot; message.&nbsp; This identifies the server.&nbsp;</li> <li>Then the immediately following sequence number should be the id=&quot;3005&quot; entry (to get the username and source IP).&nbsp;</li> </ul> <p>Even in the context with multiple servers, I think the 3005 entry will always be the next sequence number, because after an explicit fail, it does not try any additional servers.</p><div style="clear:both;"></div>https://community.sophos.com/thread/385210?ContentTypeID=1Wed, 03 Oct 2018 02:29:27 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:369bd9b5-a4f0-4b08-993f-3bfe84c574f2Daniel James1<p>Hi.</p> <p>&nbsp;</p> <p>Thank you, I&#39;ll take another look.</p><div style="clear:both;"></div>https://community.sophos.com/thread/385201?ContentTypeID=1Tue, 02 Oct 2018 20:46:31 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:02e64979-76ff-403f-ab95-53122b3876f8DouglasFoster<p>There really are not many ways to do a login incorrectly:&nbsp; wrong username/password or wrong OTP.</p> <p>I have parsed the log files, and concluded that the rows with id=&quot;3004 name=&quot;Authentication successful&quot; or id=&quot;3005&quot; name=&quot;Authentication failed&quot; are all that matter.&nbsp; They gives you the IP, username, and timestamp.&nbsp; &nbsp;For successes, it gives you the type of authentication service that issued the approval.</p><div style="clear:both;"></div>