How to find Password Authentication Errors in the log files

I have gwmonitor configured using the xml file and I invariably get notification on gwiapop3BadPassword after a couple of weeks.

I login to the gwia and see that the Password Authentication Errors in POP3 is huge.

I am sure it is just a couple of users that have wrong passwords and would like to follow up, but I can't find the corresponding info in the log files.

Tags:

Parents
  • Hi,

    Have you set your GWIA logs to verbose?

    Cheers,
  • laurabuckley;2456449 wrote:
    Hi,

    Have you set your GWIA logs to verbose?

    Cheers,


    Yes they are on verbose.
    The question is what do I put in the log file filter that will bring up the records that cause the monitor to report Password authentication issues?

    On my GWIA status screen, I have

    Password Authentication Errors 3025
    When I rolled the log yesterday it was 2993 so there should be 32 lines in the log file referring to this error.

    I have tried to filter on password, error, authent, deny, none of these bring up anything.
  • Hi,

    Okay, so I've tested this and can confirm that even with the log level set to Diagnostic on both the GWIA and POA I'm not seeing errors when entering the incorrect password on POP3 attempts.

    The fact that the number of failed attempts is so high, in my humble opinion, could be indicative of a brute force hack attempt to guess passwords. It could be as simple as a "saved password" that has not been changed when the user in question did indeed change their password.

    What you could do is enable intruder detection on your POP3 service on your GWIA and see who complains.

    Please let us know how it goes.

    Cheers,
Reply
  • Hi,

    Okay, so I've tested this and can confirm that even with the log level set to Diagnostic on both the GWIA and POA I'm not seeing errors when entering the incorrect password on POP3 attempts.

    The fact that the number of failed attempts is so high, in my humble opinion, could be indicative of a brute force hack attempt to guess passwords. It could be as simple as a "saved password" that has not been changed when the user in question did indeed change their password.

    What you could do is enable intruder detection on your POP3 service on your GWIA and see who complains.

    Please let us know how it goes.

    Cheers,
Children