NLS Setup

[sreinhardt]

Do events for invalid user login attempts show in the log your are viewing? Could you show an example of successful and failed logins on those log files specifically?

[Alan-kl_tam]

Yes, when i tried to login with invalid password, it show in /var/log/secure log file, but it show in NLS dashboard in next day.
I expect the log message will show in dashboard within a minutes.. any configuration wrong??
Alan

[Alan-kl_tam]

what the time delay between the invalid message show in NLS dashboard? Can tune ?
Thanks.

[lmiltchev]

You can select "Auto-Refresh" option from the drop-down menu to refresh the dashboard every 5s, 10s, 30s, etc.

[Alan-kl_tam]

Yes, i have tuned the auto refresh to 5s, but same result.
I tried to input a invalid password to target hosts, and the /var/log/secure show correct, but this event show on NLS dashboard on next day......

[sreinhardt]

When you say it is showing for the next day, do you mean that it displays in log server as being received tomorrow but is available to view now, displays as received tomorrow and is not viewable until tomorrow, or displays as received today but is not displayed until tomorrow?

When these messages do show, are they showing where the would otherwise belong, in between other log messages of the same type and time?

[Alan-kl_tam]

I'm not sure the fail password event (/var/log/secure) will show in NLS's log file or not.. but this kind of event will be displayed in dashboard tomorrow...

[OptimusB]

I have having the same issue. So I am creating a failed password event and the time stamp is showing correctly. However the @timestamp shown is not the same and it is throwing off the query/alert. Please look at the attached image for the time difference. Event occurred just after 8am PST, but the @timestamp (with browser adjust) is wrong. It thinks the event happened at 5am instead when it shows up on the graph.



Here's the graph



Thanks

[tmcdonald]

I'm seeing the same behavior (or very similar) on my machine. If I select a 24-hour view and trigger a log, it will display one hour ago. The right-most hour in my graphs is always empty (except, for some reason, for the two events pictured here...).

This was taken at 11:13 AM and the last shown entry is from 10:13 AM, but I am definitely getting new logs. No idea why it shows two to the right though.

I am definitely going to open an internal bug report for this since it is reproduceable both in- and out-of-house. If you have any more details to add please do so.

Edit: BUG ID4616 added.

[OptimusB]

Thank you. Due to the time issue, our alert is not working, as it is checking the recent time period and not finding the login error. I guess a temporary workaround will be to increase the lookback period so it will see the error?