IBM Security QRadar

Hi everyone,

7.3.1 patch 4

We were in the midst of deploying some rules to one of our customer environments based on password criteria (brute force, password guessing, etc.) and noticed that from Unix log sources (in this case ESXI servers) there is no traditional "Authentication success" message in the /var/log/auth for, in this case, SSH authentication. The "Authentication failure" message appears, but for success there is just a "session opened".

sshd_config looks pretty typical. Log level is INFO.

A login failure followed-by success example looks like this:

Is there any way to get a traditional success? Otherwise the best course of action seems to be to create separate rules for these servers because of the different logic that will be required.

Thanks,
Nathan

------------------------------
Nathan
------------------------------

Hi Nathan,

There are a couple options that can be considered for defining "Authentication success" messages;

1. Contact a system administrator to verify what requirements need to be met to generate  "Authentication success" messages
2. Create a log source extension (LSX) to change the parsing and/or categorization of the event. The following link outlines steps in creating/using LSX if you're not already familiar with doing so, https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_LogSourceGuide_ExtDocs_about.html
3. Create a BB or update your authentication rule(s) to define this exception. The following link outlines tuning building blocks, https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_tuning_guide_tuning_building_blocks.html

Hope this helps and let me know if you have further questions!

Thank you,
Sophia

------------------------------
[Sophia] [McCarthy]
[QRadar Offering Manager]
[IBM Security]
------------------------------

Original Message:
Sent: 12-10-2018 10:42 AM
From: Nathan Whiteman
Subject: no "Authentication success" message from Unix (ESXI) log sources

Hi everyone,

7.3.1 patch 4

We were in the midst of deploying some rules to one of our customer environments based on password criteria (brute force, password guessing, etc.) and noticed that from Unix log sources (in this case ESXI servers) there is no traditional "Authentication success" message in the /var/log/auth for, in this case, SSH authentication. The "Authentication failure" message appears, but for success there is just a "session opened".

sshd_config looks pretty typical. Log level is INFO.

A login failure followed-by success example looks like this:

Login sucessful:

Jul  7 10:51:24 srbarriga su(pam_unix)[14592]: session opened for user test2 by (uid=10101)Jul  7 10:52:14 srbarriga sshd(pam_unix)[17365]: session opened for user test by (uid=508)Nov 17 21:41:22 localhost su[8060]: (pam_unix) session opened for user root by (uid=0)Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4

Is there any way to get a traditional success? Otherwise the best course of action seems to be to create separate rules for these servers because of the different logic that will be required.

Thanks,
Nathan

------------------------------
Nathan
------------------------------