Anonymous_User Absent Member.
Absent Member.
298 views

LOGIN_FAILED at XDAS Taoxonomy Level3 (Action) Field


Hi,

Several collectors (including Windows and Cisco switch collectors) are
generating parsed event data with XDAS Taxonomy Level3 field set to
LOGIN_FAILED.
But there is no such value at the SDK documentation ( 'Sentinel
Taxonomy' (http://www.novell.com/developer/sentinel_taxonomy.html) )

I think the correct way to parse LOGIN FAILED event is to set the XDAS
Taxonomy Level3 value to LOGIN and set XDAS Outcome to
XDAS_OUT_FAILURE.
Because the action is not LOGIN_FAILED but the result of the LOGIN
action is FAILURE.

Am I correct, or should I also set the Action field to LOGIN_FAILED for
failed logons?

Thanks.


--
hkalyoncu
------------------------------------------------------------------------
hkalyoncu's Profile: http://forums.novell.com/member.php?userid=63527
View this thread: http://forums.novell.com/showthread.php?t=452730

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: LOGIN_FAILED at XDAS Taoxonomy Level3 (Action) Field


Hi Hakan,

Good question - the answer however depends on whether you're using the
2011.1 SDK (Beta) or not. In the new SDK, we don't use the legacy
taxonomy at all in the taxonomy.map file.

Anyway, I assume your question boils down to this: "When I'm parsing a
failed login event, what should I put in my taxonomy.map file?"

The answer is that you should use "LOGIN FAILED" for the legacy
taxonomy (for 6.1),like this:
(key),SYSTEM,USER,LOGIN FAILED,,XDAS_AE_AUTHENTICATE,XDAS_OUT_FAILURE

Actually it's a bit more subtle than this; in reality it should
probably be:
(key),SYSTEM,USER,LOGIN
DENIED,,XDAS_AE_AUTHENTICATE,XDAS_OUT_INVALID_USER_CREDENTIALS
with the "XDASOutcomeName" set to whatever the correct specific reason
was for denying the login.

FAILED implies some sort of system failure, whereas DENIAL indicates
that the rejection was entirely intentional, and the login was denied by
policy.

And although I agree this isn't terribly well documented, the idea is
that for the legacy taxonomy you simply append " FAILED" or " DENIED" to
the Level3 field to match whatever XDAS has (again, only for 6.1).


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=452730

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.