Jonathon_Page
Jul 24, 2018Nimbostratus
Log all failed password attempts to SIEM/Syslog
Hi,
I've set up an APM policy to use iRule Events to send messages through HSL to log events to my SIEM.
I set up an event on the failure branch of the AD Auth event to log failures, but I've found that if the AD Auth event is set to more than one attempt, it never hits the failed branch and nothing gets logged.
My login page and AD auth are in a macro, so I was hoping to do it recursively, but it doesn't appear that my F5 (13.1) allows that.
I am still hoping to maintain the three login attempts, but I need to log every failed to the SIEM.
I know I can just put the macro in the failed branch of the first attempt, but then I would have to put the success items into a macro or duplicate them, and I'd like to keep it simple
Thanks for any help,
Jon