This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
candaced
Absent Member.
Absent Member.
‎2017-05-03 16:00
1279 views

How to find Password Authentication Errors in the log files

I have gwmonitor configured using the xml file and I invariably get notification on gwiapop3BadPassword after a couple of weeks.

I login to the gwia and see that the Password Authentication Errors in POP3 is huge.

I am sure it is just a couple of users that have wrong passwords and would like to follow up, but I can't find the corresponding info in the log files.
Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
6 Replies
laurabuckley
Micro Focus Expert
Micro Focus Expert
‎2017-05-03 17:00

Hi,

Have you set your GWIA logs to verbose?

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Reply
Report Inappropriate Content
candaced
Absent Member.
Absent Member.
‎2017-05-04 13:51

laurabuckley;2456449 wrote:
Hi,

Have you set your GWIA logs to verbose?

Cheers,


Yes they are on verbose.
The question is what do I put in the log file filter that will bring up the records that cause the monitor to report Password authentication issues?

On my GWIA status screen, I have

Password Authentication Errors 3025
When I rolled the log yesterday it was 2993 so there should be 32 lines in the log file referring to this error.

I have tried to filter on password, error, authent, deny, none of these bring up anything.
0 Likes
Reply
Report Inappropriate Content
laurabuckley
Micro Focus Expert
Micro Focus Expert
‎2017-05-04 14:37

Hi,

Okay, so I've tested this and can confirm that even with the log level set to Diagnostic on both the GWIA and POA I'm not seeing errors when entering the incorrect password on POP3 attempts.

The fact that the number of failed attempts is so high, in my humble opinion, could be indicative of a brute force hack attempt to guess passwords. It could be as simple as a "saved password" that has not been changed when the user in question did indeed change their password.

What you could do is enable intruder detection on your POP3 service on your GWIA and see who complains.

Please let us know how it goes.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Reply
Report Inappropriate Content
laurabuckley
Micro Focus Expert
Micro Focus Expert
‎2017-05-05 09:45

Hi,

Just FYI... I'm making some enquiries as to whether or not the failed login attempts should appear in the log files.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Reply
Report Inappropriate Content
candaced
Absent Member.
Absent Member.
‎2017-05-05 18:43

laurabuckley;2456651 wrote:
Hi,

Just FYI... I'm making some enquiries as to whether or not the failed login attempts should appear in the log files.

Cheers,


Thanks, I will wait to hear from you before opening an SR
0 Likes
Reply
Report Inappropriate Content
laurabuckley
Micro Focus Expert
Micro Focus Expert
‎2017-05-05 19:42

Hi,

A defect has been logged for this - Bug 1037728. Micro Focus engineers are now aware of this and can work on resolving it.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.