Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3971
Views
0
Helpful
4
Replies

Number of AuthenticationFailed events exceeds configured threshold

damonmendoza
Level 1
Level 1

‎11-12-2015 07:11 AM - edited ‎03-13-2019 09:13 PM

I'd be very appreciative if someone can point me in the right direction to fix this.  I receive many alerts on this and I'm not certain where the invalid authentication is configured.  The AD/LDAP user specified in the "UserID" field is not disabled in Active Directory.  Nor is this user a local user or admin of any kind.  

 Number of AuthenticationFailed events exceeds configured threshold during configured interval of time 1 within 3 minutes  on cluster StandAloneCluster.

There are 2 AuthenticationFailed events (up to 30) received during the monitoring interval From Thu Nov 12 01:42:50 CST 2015 to Thu Nov 12 01:45:50 CST 2015: 

TimeStamp : 11/12/2015 at 01:43:54

LoginFrom : 192.XXX.XXX.XXX (Expressway IP address)

Interface : cucm-uds

UserID : %LDAP_USER%

AppID : Cisco Tomcat

ClusterID : 

NodeID : CiscoSvr1

 TimeStamp : Thu Nov 12 01:43:54 CST 2015

 

TimeStamp : 11/12/2015 at 01:43:53

LoginFrom : 192.XXX.XXX.XXX (Expressway IP address)

Interface : cucm-uds

UserID : %LDAP_USER%

AppID : Cisco Tomcat

ClusterID : 

NodeID : CiscoSvr1

 TimeStamp : Thu Nov 12 01:43:53 CST 2015

Labels:
0 Helpful
4 Replies 4

zdesignstudio
Level 4
Level 4

‎11-12-2015 12:10 PM

Is it always the same user?

Please rate useful posts and mark answers as correct if applicable.

Please rate useful posts and mark answers as correct if applicable.
0 Helpful

damonmendoza
Level 1
Level 1
In response to zdesignstudio

‎11-12-2015 02:46 PM

Yes- the same user with 60 alerts within the last week.  

0 Helpful

zdesignstudio
Level 4
Level 4
In response to damonmendoza

‎11-13-2015 04:25 AM

Couple possibilities here.

1. Its a user issue with them logging in. I have a person who fails their login multiple times daily and get the same alerts.

2. Depending how the VCS-e is accessible, that user's login name could be compromised and is trying to be brute forced.

You can also try to change the alert threshold to something borader to lessen teh alerts if it is a generic user issue. Maybe 2 or 3 failed attempts within 3 mnutes. Unfortunetely if it is a user issue with them just not being able to login correctly or remember their PW, it will be hard to fix.

Please rate useful posts and mark answers as correct if applicable.

Please rate useful posts and mark answers as correct if applicable.
0 Helpful

damonmendoza
Level 1
Level 1
In response to zdesignstudio

‎11-13-2015 07:43 AM

I believe that we have found the cause - incorrect password on a mobile device.  The AD password was changed on all devices but one.  I wasn't aware that Cisco alerts would notify us of that, but lesson learned.  If we find otherwise, I'll be sure to update the post.  Thank you

0 Helpful
Customers Also Viewed These Support Documents