Viewing ProxySG administrative login attempts.

book

Article ID: 167134

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You want to view administrative login attempts to the ProxySG.
You want to determine who has been logging onto the ProxySG console successfully/unsuccessfully via the management console, SSH, or serial console.

Resolution

To determine the username and/or IP address (when applicable) of administrative login attempts, you can view the event log of the ProxySG by going to https://<proxy.ip.address>:8082/eventlog/statistics and clicking "View" entire event log.

For successful login attempts to the management console (web GUI), search for events with the following message:
"Read/write mode entered from <IP address> for user '<username>'"

For failed login attempts the management console (web GUI), search for events with the following message:
"Console user password authentication from <IP address> failed for user '<username>'"

For successful login attempts to the console via SSH, search of events with the following messages:
"Connection from <IP address> port <source port>"
"Failed none for admin from <IP address> port <source port> <SSH version>"
"Administrator login from <IP address>, user '<username>'"
"Accepted password for <username> from <IP address> port <source port> <SSH version>"

For failed login attempts to the console via SSH, search for event with the following messages:
"Administrator login from <IP address>, user '<username>', denied: Default secure admin mode"
"Failed password for admin from <IP address> port <source port> <SSH version>"

For successful login attempts to enable mode via SSH, search for events with the following message:
"Read/write mode entered from <IP address> for user '<username>'"

For failed login attempts to enable mode via SSH, search for events with the following message:
"Enable password authentication from <IP address> failed for user '<username>'"


For successful login attempts to enable mode via serial console, search for events with the following message:
"Read/write mode entered from serial for user 'unknown user'"

For failed login attempts to enable mode via serial console, search for events with the following message:
"Enable password authentication from serial failed for user 'unknown user'"

Note: In serial console mode the user is displayed as 'unknown user' because there is no console login via serial console. Only enable login is required for entering read/write mode.