Real-time performance monitoring and troubleshooting
Post Reply
nikolaj
Veeam Software
Posts: 152
Liked: 50 times
Joined: Mar 22, 2021 11:19 am
Contact:

[Fork from 74788] Alarm suspension custom rules

Post by nikolaj »

Customer has an intrusion detection system, trying to log on to ESXi hosts. Each time ONE registers a failed login attempt, which is expected. But... since it is expected that the login will fail, the alarm is a false positive in a way. Could be helpful to create a custom alarm that excludes failed attempts from a certain IP address only, but triggers on everyone else. Still not 100%, because if someone finds a way to the IDS system, they could try indefinitely from there and no one would know.

nikolaj
Veeam Software
Posts: 152
Liked: 50 times
Joined: Mar 22, 2021 11:19 am
Contact:

Re: [Fork from 74788] Alarm suspension custom rules

Post by nikolaj »

@Matts N I forked your request from 74788 into a new topic, so we could track those separately.
Customer has an intrusion detection system, trying to log on to ESXi hosts.
Does this intrusion system work on a schedule? Or are those logon attempts happen at random?
If it's the former, you could probably suppress the alarm based on a schedule that can be configured on the Suppress tab in its settings:

Image

Matts N
Enthusiast
Posts: 52
Liked: 7 times
Joined: Dec 27, 2010 10:41 am
Full Name: Matts Nilsson
Contact:

Re: [Fork from 74788] Alarm suspension custom rules

Post by Matts N »

Hello Nikolaj,
I feel like a proper n00b when it comes to ONE. :P

I think it is set to a schedule, along the lines of "first Tuesday every month" or "Monday second week of month", but not sure. I will check with my customer regarding this. A suppression of the error is probably only half way there though, unless I can filter source of alarm. I don't want to suppress all alarms, only those triggered from a certain host. Even if the suppression only is for a few minutes, it could potentially still filter out a proper alarm.

wishr
Veeam Software
Posts: 2696
Liked: 362 times
Joined: Aug 07, 2018 3:11 pm
Full Name: Fedor Maslov
Contact:

Re: [Fork from 74788] Alarm suspension custom rules

Post by wishr »

Hi Matts,

Chiming in to say that you may create an alarm copy for that particular host by modifying the assignment scope and then suppress this during a required period of time.

Thanks

Matts N
Enthusiast
Posts: 52
Liked: 7 times
Joined: Dec 27, 2010 10:41 am
Full Name: Matts Nilsson
Contact:

Re: [Fork from 74788] Alarm suspension custom rules

Post by Matts N »

Hello Fedor,
I think you got the problem backwards. :D I can assign an alarm to all or parts of the infrastructure, yes. But I do not wish to filter based on infrastructure, I want to filter based on what triggers the alarm in the first place, regardless of which part of the infrastructure is the target.

An example, hopefully understandable: :)
In my infrastructure I have hosts A, B, C, and D. Some external source, E, tries to logon to these hosts with invalid credentials, triggering the alarm "Bad Host username logon attempt". I want to filter this alarm based on that external source E, not if the alarm is triggered on host A, B, C, or D.

Cheers!

Edit: The reason for filtering on the external source is that it allows me to filter out a specific source instead of filtering out all sources during the period the alarm is suppressed.

wishr
Veeam Software
Posts: 2696
Liked: 362 times
Joined: Aug 07, 2018 3:11 pm
Full Name: Fedor Maslov
Contact:

Re: [Fork from 74788] Alarm suspension custom rules

Post by wishr »

Got it, thanks for clarifying. Currently, this is not possible and the workaround is to suppress the alarms during the period when the IDS is performing its login activities. We'll treat it as an FR.

To be honest, I've never seen an IDS trying to perform login attempts on the target system. Are you sure this is the case?

Thanks

Matts N
Enthusiast
Posts: 52
Liked: 7 times
Joined: Dec 27, 2010 10:41 am
Full Name: Matts Nilsson
Contact:

Re: [Fork from 74788] Alarm suspension custom rules

Post by Matts N » 1 person likes this post

According to my customer they have a system that checks that it cannot log into their ESXi hosts using SSH (that is, is SSH running when it should not be?). It is this check that triggers the alarm for incorrect logon information on the ESXi hosts and since it is expected a false positive in ONE.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest