EMS log reports event security.invalid.login for locked vsadmin

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 1,869

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: CORE

Last Updated:

Applies to

ONTAP 9
ONTAPI
SnapDrive

Issue

Getting notifications about login attempts from external system

ALERT in EMS.LOG.GZ :

security.invalid.login: Failed to authenticate login attempt to Vserver: svm_data, username: vsadmin, application: ontapi

In CLI:

Cluster-01::> event log show -message-name security.invalid.login

Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
3/22/2021 08:00:07  Cluster-01         ALERT      security.invalid.login: Failed to authenticate login attempt to Vserver: svm_data, username: vsadmin, application: ontapi.

Identify IP address and user for failed login attempt with security audit log show

Cluter-01::> security audit log show -timestamp "3/22/2021 08:00:07"
Time                      Node         Audit Message
------------------------  -----------  -----------------------
Mon Mar 22 08:00:07 2021  Cluster-01   [kern_audit:info:2345] 8503e800002b7bbe :: Cluster-01:ontapi :: 10.10.10.1:10101 :: svm_data:vsadmin :: Login Attempt :: Error: Error: Account currently locked. Contact the storage administrator to unlock it.

Mon Mar 22 08:00:07 2021  Cluster-01   [kern_audit:info:2345] 8503e800002b7bbe :: Cluster-01:ontapi :: 10.10.10.1:10101 :: svm_data:vsadmin :: Login Attempt :: Error: Authentication failed.

Mon Mar 22 08:00:07 2021  Cluster-01   [kern_audit:info:8617] 8503e800002b7bbe :: Cluster-01:ontapi :: 10.10.10.1:10101 :: svm_data:vsadmin :: POST /servlets/netapp.servlets.admin.XMLrequest_filer HTTP/1.1 :: Error: 401 Unauthorized
3 entries were displayed.

IP identified as a Snapdrive using the vsadmin user