Call Manager v7.0 SyslogSeverityMatchFound events generated: SeverityMatch - Alert sshd(pam_unix)[68...

keithbrandon · ‎07-18-2010

Hi guys,

I wonder if any of you experts have come across this error before ?.

I have a customer that is getting this alarm 3 times a day on all three call Managers in the 3 node cluster at exactly the same time. running CM V7.0

SyslogSeverityMatchFound events generated: SeverityMatch - Alert sshd(pam_unix)[6836]: check pass; user unknown

I have seen this discussed in the past but with a different code (6836) . But basically saying somebodsy is logging in with the

wrong SSH id/pswd. The issues is it is on all three nodes at the same time !!!.

My question is :-

will one logon fail replicate to all the nodes in the cluster with this alarm. ??

this is happening 3 times a day and seems too regular to be a random user logon .

Is there anything else that could be causing this alarm (any automated process of any sort ??.

Any help appreciated.

Guys .

Cheers Keith

Aaron Harrison · ‎07-19-2010

Hi

If it's the same time every day, do a packet cap on the CCM at the time it is expected. You can then review the packet cap to see which IP connections to port 22 for SSH are arriving at, and track it from there. Use this command from the server CLI to set up the cap:

utils network capture file mycap count 100000 size all

I would guess it's some kind of monitoring tool...

Regards

Aaron

Please rate helpful posts..

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

keithbrandon · ‎07-20-2010

Thanks Aaron ,

I will set this up and see what we can find .

Thanks again for your help .

Keith

Call Manager v7.0 SyslogSeverityMatchFound events generated: SeverityMatch - Alert sshd(pam_unix)[6836]: check pass; user unknown