Our Network Intrusion Detection System is picking up multiple connections marked as RSH:Null Login from our PAM Appliance. What can be the caused of this issues? Is tomcat logs the appropriate log to check? What should I be checking in the logs?
I checked our Support case history and I do not see any instances of customers reporting the alert you are seeing "RSH:Null Login".
The Tomcat log may contain some information about the user login, but the best log to start looking into this would be the Session logs (sessions > logs). This might show why a login failed or if there was some other problem with the login. Otherwise there is likely not much you will find in the logs available to customers, but there may be something more useful in the logs.bin file which customers are unable to open and review.
If you are not able to find anything useful under Tomcat or Session Logs then I would suggest opening a ticket with Support to have this issue looked into properly. If you do open a support ticket please include your logs.bin and session log export immediately for review.
Support Engineer 3
Broadcom (CA) - ESD Support