Netsight alert for successful login

  • 1
  • 1
  • Question
  • Updated 2 years ago
  • Answered

Hello,

We currently have a netsight alarm for invalid login attempts to our XOS devices

Selected Trap "ExtremeNetworks extremeInvalidLoginAttempt .1.3.6.1.4.1.1916.0.9 Notice"

This works great.   Is there a way to send an alert for Successful login?

Thank you


Photo of Sarah Seidl

Sarah Seidl

  • 1,356 Points 1k badge 2x thumb

Posted 2 years ago

  • 1
  • 1
Photo of Taykin Izzet

Taykin Izzet , Employee

  • 3,106 Points 3k badge 2x thumb
Sarah, I do not see a specific trap other than the one mentioned (extremeInvalidLoginAttempt). You may be able to base the alarm on a specific syslog message. This would be created using the following steps:

1.  Click Tools > Alarm/Event > Alarm Manager...
2.  To create a new alarm click New Alarm Button.
3.  Provide a name and click OK button.
4.  Click By Custom Criteria radio button.
5.  Click Edit Criteria button.
6.  Place a check in Match on Log Manager.
7.  Click Match Selected.
8.  Place a check in Syslog.
9.  Place a check in Match on Information Text.
10.  Click on Edit List... button.
11.  Add in text phrase to search for.
12.  Click on Add to List button.
13.  Click on appropriate radio button for Contains or Does not Contain.
14.  Click the OK button.
15.  Click the OK button.
Photo of Sarah Seidl

Sarah Seidl

  • 1,356 Points 1k badge 2x thumb

Thank you.  How does the syslog from step 8 fit in to this?  We don't have netsight currently setup as a syslog server.  Would we need to do that in order to get this to work? For the information text I put in "login passed for user XXXX through ssh"  I also put the syslog check information in as well but not getting alerts.  Is it because perhaps we don't have the syslog piece setup?


Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,992 Points 20k badge 2x thumb
To setup syslog on the XOS below a example - in my case I've used VR-mgmt (mgmt port) as the source, if you use VR-default you must change that commands.

To enable it use the command #enable syslog 



That generates the following syslog message in EMC which you could use to trigger the alarm...

"02/15/2017  22:15:21 AAA[2241]: Login passed for user admin through telnet (172.25.25.202)"