Environment
NetIQ eDirectory
Situation
How to audit failed login attempts
Resolution
Enable auditing of Add Value for the eDirectory instrumentation
- Open iManager, and log in with admin rights.
- From the eDirectory administration menu, select modify object.
- Enter the name of your server object (server being logged into, not the Secure Logging Server) ie., servername.novell. Click ok.
- When the server object appears, click on the Nsure Audit tab (from Mozilla, select the Nsure Audit option from the drop down menu)
- Click the eDirectory link.
- Make sure that the check box next to Add Value is checked.
- Click Save to save the changes.
This needs to be done on each server holding a replica of the container that we are monitoring for failed login attempts.
Enable Intruder Detection on the container
- In iManager, select modify object from the eDirectory administration menu.
- Enter the name of a container to enable intruder detection, ie., o=novell
- From the General Tab, click the Intruder Detection link.
- Click the Check box next to Detect Intruders.
- Cick Ok to save the changes.
It is not necessary to change any of the other settings, or enable intruder lockout to detect this event.
To Query this event, a simple select query can be created in iManager, or from Nsure Audit report. The manual query statement will look something like this:
select * from log WHERE eventid=720902 and text2='Login Intruder Attempts';
Additional Information
eDirectory doesn't provide an event for a failed login, therefore Nsure Audit cannot audit failed logins directly.
Formerly known as TID# 10092488
Formerly known as TID# NOVL96555