monitor SSH Authentication Success with DX UIM
Article ID: 385417
Updated On:
Products
Issue/Introduction
Is it possible to monitor the success of authenticated SSH to a linux box using net_connect?
Is there any other method to monitor SSH Authentication Success with DX UIM?
Environment
- DX UIM 20.4.* / 23.4.*
- net_connect (any version)
- logmon (any version)
Cause
Guidance
Resolution
- net_connect SSH Monitoring: net_connect probe can monitor the SSH service and generate an alarm on if it's up or down, but is not able to monitor SSH login attempts.
- monitoring SSH Authentication success: not possible with net_connect probe. So different approaches need to be explored. Example: monitor the output of a command using logmon: (Eg. sshpass by giving username and password) executed in logmon and monitor the output for succesful authentication.
- Please refer to:
How to use logmon to run a command and generate one alarm that contains all output
Below is a simplified example:1. Engage your linux administrator for specific monitoring needs. In the example below, the following command checks if the ssh session connects with a certain username and password if executed locally at the server:
sshpass -p 'Password' ssh -o StrictHostKeyChecking=no root@hostname "uptime"Example of positive (connected correctly) output:
08:28:17 up 101 days, 17:46, 1 user, load average: 0.21, 0.18, 0.182. Once you have verified that the command returns the correct value for established sshpass with the username and password you can use that command in logmon probe deployed on the same robot.
Create a command profile and use the command:
Create a watcher. In this case we'll select the entire output with the match expression .* for testing:
After the first cycle, the logmon will capture the entire output in an alarm.
Note: This is just a basic example on how to capture the output of sshpass output. It is possible to create comparison thresholds based on variables or on more specific watcher regex matching.
Feedback
