How to audit failed login attempts

  • 7017208
  • 29-Jan-2016
  • 29-Jan-2016


Novell Nsure Audit 1.0.X
NetIQ eDirectory


How to audit failed login attempts with Nsure Audit
How to audit failed login attempts


In order to audit failed logins it is necessary to set up Nsure Audit eDirectory instrumentation to audit Add Value events on the NCP server object. It is also necessary to enable instruder detection on containers where failed login attempts auditing is desired. The following steps describe this process:

Enable auditing of Add Value for the eDirectory instrumentation

  1. Open iManager, and log in with admin rights.
  2. From the eDirectory administration menu, select modify object.
  3. Enter the name of your server object (server being logged into, not the Secure Logging Server) ie., servername.novell. Click ok.
  4. When the server object appears, click on the Nsure Audit tab (from Mozilla, select the Nsure Audit option from the drop down menu)
  5. Click the eDirectory link.
  6. Make sure that the check box next to Add Value is checked.
  7. Click Save to save the changes.

This needs to be done on each server holding a replica of the container that we are monitoring for failed login attempts.

Enable Intruder Detection on the container

  1. In iManager, select modify object from the eDirectory administration menu.
  2. Enter the name of a container to enable intruder detection, ie., o=novell
  3. From the General Tab, click the Intruder Detection link.
  4. Click the Check box next to Detect Intruders.
  5. Cick Ok to save the changes.

It is not necessary to change any of the other settings, or enable intruder lockout to detect this event.

To Query this event, a simple select query can be created in iManager, or from Nsure Audit report. The manual query statement will look something like this:

select * from log WHERE eventid=720902 and text2='Login Intruder Attempts';


Additional Information

eDirectory doesn't provide an event for a failed login, therefore Nsure Audit cannot audit failed logins directly.
Formerly known as TID# 10092488

Formerly known as TID# NOVL96555