Forum Discussion

snick_201649's avatar
snick_201649
Icon for Nimbostratus rankNimbostratus
Jun 17, 2015

Email alert for failed and successful login

I'm pretty new to working with F5s. I'm trying to configure email alerts for failed and successful log in attempts. We have two 6900s in an Active/Standby cluster running 11.6. I set up the smtp mail...
application delivery
LTM
management
security
TMOS
TMSH
cjunior's avatar
cjunior
Icon for Nacreous rankNacreous
Jun 18, 2015

Hi,

if I'm not wrong, those OIDs are obsolete in LTM v.11.6.

I've made an example of how you could do in case of having no standard way. I've done with two different OIDs, in order to differentiate the access type.

Add the following in /config/user_alert.conf with appropriate values: 
alert BIGIP_CUSTOM_GUI_LOGIN_FAILED "httpd\(pam_audit\): User=(.*) tty=(.*) host=(.*) failed to login after (.*) attempts" {
    snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.300";
    email toaddress="toaddress@mydomain.com"
    fromaddress="fromaddress@mydomain.com"
    body="This is a custom alert OID .1.3.6.1.4.1.3375.2.4.0.300"
}
alert BIGIP_CUSTOM_SSH_LOGIN_FAILED "sshd\(pam_audit\): User=(.*) tty=(.*) host=(.*) failed to login after (.*) attempts" {
    snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.301";
    email toaddress="toaddress@mydomain.com"
    fromaddress="fromaddress@mydomain.com"
    body="This is a custom alert OID .1.3.6.1.4.1.3375.2.4.0.301"
}

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-6-0/11.html?sr=46312739

if your outbound smtp setup was successful, it should work.

Regards.