Call Manager v7.0 SyslogSeverityMatchFound events generated: SeverityMatch - Alert sshd(pam_unix)[6836]: check pass; user unknown

Unanswered Question
Jul 18th, 2010

Hi guys,

I wonder if any of you experts have come across this error before ?.

I have a customer that is getting this alarm  3 times a day on all three call Managers in the 3 node cluster at exactly the same time.  running  CM V7.0

SyslogSeverityMatchFound events generated: SeverityMatch - Alert sshd(pam_unix)[6836]: check pass; user unknown

I have seen this discussed in the past but with a different  code (6836) . But basically saying somebodsy is logging in with the

wrong SSH id/pswd.   The issues is it is on all three nodes at the same time !!!. 

My question is  :-

  will one logon fail  replicate to all the nodes in the cluster with this alarm. ??

this is happening 3 times a day and seems too regular to be a random user logon .

Is there anything else that could be causing this alarm  (any automated process of any sort ??.

Any help appreciated.

Guys .

Cheers  Keith

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Aaron Harrison Mon, 07/19/2010 - 00:31

Hi

If it's the same time every day, do a packet cap on the CCM at the time it is expected. You can then review the packet cap to see which IP connections to port 22 for SSH are arriving at, and track it from there. Use this command from the server CLI to set up the cap:

utils network capture file mycap count 100000 size all

I would guess it's some kind of monitoring tool...

Regards

Aaron

Please rate helpful posts..

keithbrandon Tue, 07/20/2010 - 01:19

Thanks Aaron ,

I will set this up and see what we can find .

Thanks again for your help .

Keith

Actions

This Discussion