Lifecycle manager admin@local user is getting locked frequently.

VMware Aria Suite Lifecycle 8.x

Here are the steps to find the IP address of the machine that causing the admin@local account to be locked.

1. Review the /var/log/nginx/access.log 

Utilize the following command to filter and display relevant information:

2. SSH to the LCM appliance as root

3. Review the access.log using the command

 cat /var/log/nginx/access.log | grep -a 'admin@local' | awk '{print $1,$3,$7,$9}' | grep -v ' 20[0-9]' | sort | uniq -c | sort -n 

Example results:

      1 172.16.239.37 admin@local /lcm/authzn/api/vidmcluserhealth 401
      1 172.16.239.37 admin@local /lcm/locker/api/v2/certificates/import 400
      1 172.16.239.56 admin@local /lcm/lcops/api/settings/systemsettings 502
      2 172.16.239.37 admin@local /lcm/locker/api/v2/passwords 409
      2 172.16.84.22 admin@local /lcm/bootstrap/api/status 502
      4 172.16.84.22 vcfadmin@local /lcm/authzn/api/login 401
     18 172.16.84.23 admin@local /lcm/authzn/api/login 401
     38 172.16.84.22 admin@local /lcm/authzn/api/login 401
  38347 172.16.239.56 admin@local /lcm/lcops/api/settings/systemsettings 401

Search for lines containing admin@local.
Extract the IP address ($1), timestamp ($3), endpoint ($7), and response code ($9).
Exclude successful login attempts (status code 20[0-9]).
Sort the results by IP address and then by count of occurrences.
Analyzing Suspicious IP Addresses:
Identify IP addresses with a high number of failed login attempts, particularly those targeting the /lcm/authzn/api/login endpoint.

4. Find the device that is using Suspicious IP Addresses

5. Review applications on the machine found in point 4 and update the admin@local credentials.