IBM QRadar

Hello,

We're observing some events related to failed authentication locally on QRadar itself and we're not aware of the source of this event, since we're able to login to the appliance with root credentials. Any hint?

Nov  6 07:53:18 127.0.0.1 root@10.10.0.1: (Session) [Authentication] [User] [LoginAttempt] Login failed for root on host qrp08

This could be generated by a few different scenarios. Do you know what appliance the 10.10.0.1 IP belongs to? For example, we've seen these types of issues where the /secure directory contains a number of these events in the logs, which then show up as failed auth messages. 

This can occur for several reasons, but you likely want to open a case to confirm this issue:

1. For encrypted Data Nodes: An issue can occur where the Data Node tunnel for the encrypted DN either points to itself or if the tunnel config doesn't match what is expected in the deployment. If the IP is for a Data Node, you can disable encryption for the Data Node to confirm the error messages go away.
2. If you recently changes the root password or upgraded, it might be that the authorized_keys file does not contain the Console's IP address in the from= field or is possibly missing entirely. If the authorized_keys value is incorrect, then you will see repeated login failure messages like this that are unexpected. 

As there are multiple workarounds, it would be best for support to confirm the problem. My guess is that it is item #2 and that there is an issue with the key as it is either missing a line or a value is incorrect. 

Nov  6 07:53:18 127.0.0.1 root@10.10.0.1: (Session) [Authentication] [User] [LoginAttempt] Login failed for root on host qrp08