Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Email alert for failed and successful login

snick_201649
Nimbostratus
Nimbostratus

I'm pretty new to working with F5s. I'm trying to configure email alerts for failed and successful log in attempts. We have two 6900s in an Active/Standby cluster running 11.6. I set up the smtp mailhub according to link text. I can than perform the test email function at the bottom of the same link and I do receive the email. I then use the information from link text to set the alerts in /etc/alertd/alert.conf. Specifically, I set an alert for snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.27", snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.27", snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.27", snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.28" and snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.150". I've done intentional invalid logins at the GUI and over ssh. I've verified that the failed logins are recorded in /var/log/audit. But I don't get an email. I've restarted the alertd service numerous times via the "bigstart restart alertd" command. I've verified numerous times that my email is spelled correctly in /etc/alertd/alert.conf. I'm not sure what else to try or how to further troubleshoot the issue. Any help would be greatly appreciated.

 

1 REPLY 1

cjunior
Nacreous
Nacreous

Hi,

 

if I'm not wrong, those OIDs are obsolete in LTM v.11.6.

 

I've made an example of how you could do in case of having no standard way. I've done with two different OIDs, in order to differentiate the access type.

 

Add the following in /config/user_alert.conf with appropriate values:

 

alert BIGIP_CUSTOM_GUI_LOGIN_FAILED "httpd\(pam_audit\): User=(.*) tty=(.*) host=(.*) failed to login after (.*) attempts" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.300"; email toaddress="toaddress@mydomain.com" fromaddress="fromaddress@mydomain.com" body="This is a custom alert OID .1.3.6.1.4.1.3375.2.4.0.300" } alert BIGIP_CUSTOM_SSH_LOGIN_FAILED "sshd\(pam_audit\): User=(.*) tty=(.*) host=(.*) failed to login after (.*) attempts" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.301"; email toaddress="toaddress@mydomain.com" fromaddress="fromaddress@mydomain.com" body="This is a custom alert OID .1.3.6.1.4.1.3375.2.4.0.301" }

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implem...

 

if your outbound smtp setup was successful, it should work.

 

Regards.