Forum Discussion

Jonathon_Page's avatar
Jonathon_Page
Icon for Nimbostratus rankNimbostratus
Jul 24, 2018

Log all failed password attempts to SIEM/Syslog

Hi,

 

I've set up an APM policy to use iRule Events to send messages through HSL to log events to my SIEM.

 

 

I set up an event on the failure branch of the AD Auth event to log failures, but I've found that if the AD Auth event is set to more than one attempt, it never hits the failed branch and nothing gets logged.

 

My login page and AD auth are in a macro, so I was hoping to do it recursively, but it doesn't appear that my F5 (13.1) allows that.

 

 

I am still hoping to maintain the three login attempts, but I need to log every failed to the SIEM.

 

I know I can just put the macro in the failed branch of the first attempt, but then I would have to put the success items into a macro or duplicate them, and I'd like to keep it simple

 

 

Thanks for any help,

 

Jon

 

APM
authentication
hsl
security

1 Reply

Sort By
  • AP's avatar
    AP
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2018

    Hi Jon,

     

    Did you find a solution for this?

     

    I was about to configure a similar solution and was doing a search to ensure placing a VPE Agent to log failures would be triggered for each AD Auth attempt. Sounds like it doesn't from what you are saying.

     

    I'm looking at session variables as I seem to recall one exists that increments with each retry. Looking at session.logon.page.retry at the moment but can't find any documentation. Issue with this is trying to find an iRule trigger for this to go and log data.

     

    The other choice that I've used in the past but not keen on in this particular case, as it requires reworking a complex policy, is setting the attempts to 1 and configuring a macro which loops you from the AD Auth fallback back to the logon page.