Call Manager v7.0 SyslogSeverityMatchFound events generated: SeverityMatch - Alert sshd(pam_unix)[6836]: check pass; user unknown

Unanswered Question
Jul 18th, 2010
User Badges:

Hi guys,

I wonder if any of you experts have come across this error before ?.

I have a customer that is getting this alarm  3 times a day on all three call Managers in the 3 node cluster at exactly the same time.  running  CM V7.0


SyslogSeverityMatchFound events generated: SeverityMatch - Alert sshd(pam_unix)[6836]: check pass; user unknown

I have seen this discussed in the past but with a different  code (6836) . But basically saying somebodsy is logging in with the

wrong SSH id/pswd.   The issues is it is on all three nodes at the same time !!!. 

My question is  :-

  will one logon fail  replicate to all the nodes in the cluster with this alarm. ??

this is happening 3 times a day and seems too regular to be a random user logon .

Is there anything else that could be causing this alarm  (any automated process of any sort ??.

Any help appreciated.

Guys .

Cheers  Keith

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Aaron Harrison Mon, 07/19/2010 - 00:31
User Badges:
  • Super Bronze, 10000 points or more
  • Community Spotlight Award,

    Member's Choice, May 2015

Hi


If it's the same time every day, do a packet cap on the CCM at the time it is expected. You can then review the packet cap to see which IP connections to port 22 for SSH are arriving at, and track it from there. Use this command from the server CLI to set up the cap:


utils network capture file mycap count 100000 size all


I would guess it's some kind of monitoring tool...


Regards


Aaron


Please rate helpful posts..

keithbrandon Tue, 07/20/2010 - 01:19
User Badges:

Thanks Aaron ,

I will set this up and see what we can find .

Thanks again for your help .


Keith

Actions

This Discussion