2 Replies Latest reply on Feb 23, 2017 9:21 AM by dlorenzo@wpb.org

    Incidents created when manager logs in as root for cron


      New to LEM... we enabled a bunch of default rules. Every 15 minutes or so, incidents are created from events automatically happening on the manager. The rules that are firing to create the incidents are "Authentication Traffic but No Agent" and "Authentication Attempt - Default Account".


      The event info is always 'pam user logoff "root" from service "cron:session"' and 'pam user logon "root" for service "cron:session"'


      From the description of the "Authentication Traffic but No Agent" rule, it says it "Detects unauthorized workstations on the network" which is something we'd like to do. So are we supposed to modify the rule to exclude the LEM Manager?


      For the "Authentication Attempt - Default Account" rule, I see it's looking for authentication attempts for *administrator, *root, or *guest. While we would like to know if somebody is trying to login with these accounts, I don't really care that the LEM manager is logging in by itself to run cron jobs.


      How do we exclude these specific events from generating the incidents, but allow LEM to create incidents if the rules are triggered for other reasons?

        • Re: Incidents created when manager logs in as root for cron

          Hi Matt,


          This is typically what a root/cron logon looks like within LEM:



          You can add conditions to your correlation rules to exclude certain usernames, hostnames, etc.


          For example, you can add a condition to the 'Authentication Attempt - Default Account' rule to exclude events where the DectectionIP is not equal to the LEM appliance:


          2 of 2 people found this helpful
            • Re: Incidents created when manager logs in as root for cron

              Your solution will not give the desired effect. You have all your conditions in a correlation box set to OR (yellow right edge). So, if any of these conditions are met it will apply. That means the "DetectionIP not equal to *swi-lem* " will meet this even if the DestinationAccount isn't administrator, root, or guest.


              I believe this will accomplish that.


              Lem Rule 2.JPG


              The right edge is set to AND (Blue). Meaning that both groups must meet the condition for the correlation to be true. The (DestinationAccount is equal to administrator, root, or guest) AND the (DestinationIP is not equal to your LEM appliance).