Description
The event "Admin User Login Failure" is generated when a login attempt to the Administration UI fails.
Note: This event does not apply to CLI access.
This article provides instruction on how to retrieve data regarding the login failure for further investigation.
Solution
To determine the IP addresses of devices accessing the UI at the time of the login failure(s), SSH to the Control Server and review the content of the following file:
/bsc/logs/tomcat-admin/localhost_access_log.<date>.txt
The localhost_access_log files are generated daily and date stamped (Example: localhost_access_log.2019-05-22.txt). Review the file marked with the date of the login failure(s).
High rate of "Admin User Login Failure" events from the same IP address: If the IP address belongs to a trusted server expected to be running a vulnerability scanning tool (such as Nessus or OpenVAS), verify whether or not a routine test was performed at that time. If not, the behavior could potentially be malicious.
Contact Support if assistance is needed in reviewing the content.