Aria Operations for Logs #6 ESXi SSH Failed Logins
In this article, I will explain how to create alarms and dashboards of failed login attempts over SSH with the logs we obtain from ESXi hosts. In my previous article, I talked about the alarms of failed login attempts to the ESXi web interface. If you want to review this article, you can find it below.
Root Account
In this section, I will explain how to list incorrect login attempts with the root account. Since login attempts over SSH with a different user other than root have a different event type, we need to distinguish them. You can find the filters related to the Root account below.
Explore Logs – Query filtering
Firstly, in the Explore Logs menu, we will choose the appname value as sshd and text value as pam_unix(sshd:auth): authentication failure; metinlerini içeren log kayıtlarını filtreliyoruz. Ayrıca vCenter a ait sshd root login tiplerini karışıklığa sebep olmaması adına does not contain seçeneği ile exclude ediyoruz.
Alert Definitions – Creating Alert from Query
Now let's create an alarm definition for this filter. For this, we press the red alarm button and switch to alarm definition with Create Alert from Query...
In this section, we fill in the alarm name and description information. Then we select this alarm as Real Time in Trigger Condition. In the current situation, we will receive notification via e-mail and Slack Webhook when the number of events is more than 1.
ESXi SSH Access – Failed Login Count
Now, using the same filters that we have defined alarm above, we transfer the total failed entries to a dashboard with the Add query to Dashboard button. Thus, we get an image containing the total number of events as below.
ESXi SSH Access – Failed Logins by Root
Here, we select the events we obtained with the same filters as non-time series this time and filter them according to hostname with Group By. In this way, we will group failed login attempts to ESXi hosts over SSH according to hostname and transfer them to the dashboard. In this way, you can get a view like the following on your dashboard.
Other User Accounts
In this section, we will filter other user accounts with failed login attempts other than the root account. Then we will prepare dashboards for this alarm condition.
Explore Logs – Query filtering
Firstly, in the Explore Logs menu, we will choose the appname value as sshd and text value as error: PAM: Authentication failure for illegal user metinlerini içeren log kayıtlarını filtreliyoruz. Ayrıca vCenter a ait sshd root login tiplerini karışıklığa sebep olmaması adına does not contain seçeneği ile exclude ediyoruz.
In this way we can view log records with failed audits via ESXi a SSH as follows.
Alert Definitions – Creating Alert from Query
Now let's create an alarm definition for this filter. For this, we press the red alarm button and switch to alarm definition with Create Alert from Query...
In this section, we fill in the alarm name and description information. Then we select this alarm as Real Time in Trigger Condition. In the current situation, we will receive notification via e-mail and Slack Webhook when the number of events is more than 1.
ESXi SSH Access – Failed Login Count
Now, using the same filters that we have defined alarm above, we transfer the total failed entries to a dashboard with the Add query to Dashboard button. Thus, we get an image containing the total number of events as below.
ESXi SSH Access – Failed Logins by Hostname
As we did in the previous topic, we select these events as non-time series this time with the same filters and filter them according to hostname with Group By. In this way, we transfer the incorrect login attempts to ESXi hosts over SSH to the dashboard after grouping them by hostname. In this way, you can get a view like below on your dashboard.
In the continuation of this series, you can reach the next article below, where we create alarms and dashboards of log records with failed login attempts to ESXi hosts via DCUI (Direct Console User Interface).