Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎05-24-2019 09:22 AM Edited on ‎05-26-2022 09:03 AM By Anonymous

Article Id 190481

Technical Note: Troubleshooting 'Admin User Login Failure' events and alarms

Description

The event "Admin User Login Failure" is generated when a login attempt to the Administration UI fails. 
 
Note:  This event does not apply to CLI access. 
 
This article provides instruction on how to retrieve data regarding the login failure for further investigation.
 


Solution

To determine the IP addresses of devices accessing the UI at the time of the login failure(s), SSH to the Control Server and review the content of the following file:
/bsc/logs/tomcat-admin/localhost_access_log.<date>.txt
 
The localhost_access_log files are generated daily and date stamped (Example:  localhost_access_log.2019-05-22.txt).  Review the file marked with the date of the login failure(s). 
 
High rate of "Admin User Login Failure" events from the same IP address:  If the IP address belongs to a trusted server expected to be running a vulnerability scanning tool (such as Nessus or OpenVAS), verify whether or not a routine test was performed at that time.  If not, the behavior could potentially be malicious.
 

Contact Support if assistance is needed in reviewing the content. 



Labels:
2489
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.