system manager log that shows login attempts?

[rejackson]

I just completed the cumbersome process to reset the password on my system manager web page, again. I think an internal scanner that our security department is running is locking it. I am trying to find a log in the system manager that shows logins and login attempts.

I went into services/events/logs. Those logs all appear to be about the session manager. I do not know if the system mgr login and interface will have any logs like I am looking for.

I connected to the system platform and it has a log viewer. under system logs and level alert I found Alerts on logins to the cdom but no details about the source or attempted user name. Still nothing about the system manager.

I know this is obscure but does anyone know how I can find out who is locking the system manager web login?

 

[ZeroZeroOne]

You should find the Event Logs to show System Manager logins, too.

Services / Events / Logs / Log Viewer

I just logged in and see this in the Message field:
SECURITY: : ipAdress: 10.128.1.110 Info: User: id=admin, Login Success

Use the advanced search to set some criteria

Message     Contains     id=admin

Will show all Logs that include the string "id=admin" or whatever login you're looking for. You can then find the failed logins.
SECURITY: : ipAdress: 10.128.1.110 Error: User: id=admin, Login Failed

That should help you narrow down the timeline and at least see if there are multiple failed logins that are locking out the account.

Try searching on "ObjectName=admin" to see if someone is logging in and editing the admin account.

Do you have a unique login for each person that accesses System Manager or is everyone using "Admin"? I set Admin to a ridiculously hard password and give each admin their own login with appropriate security levels and roles. The "Help Desk" roll can create and delete users, for example, but cannot access the Administrators page nor edit CM settings. Use the System Administrator only for yourself and anyone else that needs super-user access. Having at least one other System Administrator lets you reset the password of Admin with minimal pain.

 

[rejackson]

Thanks for the feedback. So it should do it. All mine is showing is 8 SIP events from dal-sm, our session manager. last entry is Feb 19. Show is ALL. Search does not find anything else. Seems like somewhere my log collection has been narrowed down but log settings just seems to define file names and sizes for the different types.

????

 

[ZeroZeroOne]

How about going under Events / Logs /Log Harvester and looking at the profile? You probably aren't looking at all the options:


Directories
/var/log/Avaya/sm
/var/log/Avaya/jboss/SessionManager
/var/log/Avaya/watchd
/var/log/Avaya/sm/CDRService
/var/log/Avaya/mgmt/drs
/var/log/secure
/var/log/Avaya/trace
var/log/Avaya/asset


Files
/var/log/Avaya/jboss/SessionManager/server.log
/var/log/asset.log
/var/log/Avaya/sm/ServiceHost/operationalEvent.log
/var/log/Avaya/jboss/SessionManager/event.log
/var/log/spirit_asset.log
/var/log/Avaya/watchd/event.log
/var/log/messages
/var/log/Avaya/mgmt/drs/symmetric.log
/var/log/Avaya/asm-nstall.log
/var/log/Avaya/asset/spirit_asset.log
/var/log/Avaya/asset/asset.log

 

[rejackson]

No profiles and not intuitive as to what a Harvest profile is or how to make one. I guess I'll break out the docs now that I know it should be doable. Thanks.