IHAC that enables trackchanges so that when there are failed login attempts he is able to look in the errlog and see the user id that has had the failed logins.
The following messages are produced in the errlog when trackchanges is enabled:
2015/01/29-15:33:46, [SEC-1192], 6, FID 128, INFO, IBM_COPA_ASHBURN, Security violation: Login failure attempt via SERIAL.
2015/01/29-15:33:46, [TRCK-1002], 7, FID 128, INFO, IBM_COPA_ASHBURN, Unsuccessful login by user admin after 0 overall login failure attempts.
As you can see the TRCK-1002 message indicates the user id name that had failed login attempts. The SEC-1192 indicates a failed login but does not identify the user id.
The following messages are produced in the errlog when trackchanges is NOT enabled, only a SEC-1192 message is produced:
I realize the trackchangesxx commands are being deprecated and being phased out.
My customer wants to be able to look to the errlog and be able to identify the user id that had the failed login attempt.
I believe if we enabled AUDITING we could capture the messages that way but the customer would prefer not to have to enable auditing.
Does anyone know if the trackchanges functionality allowing the user id to be identified has been ported somewhere else? Any input is appreciated.
the family of trackchangesxxx commands have been deprecated as of FOS 7.2 and I suppose that you gotta configure MAPS instead. Please, check the Monitoring And Alerting Policy Suite Administrator Guide, and in particular the Security Violations part where you may find what your customer is requesting.