problem about Login failed for user 'sa'

83 views
Skip to first unread message

Fabio Miotti

unread,
Jan 21, 2021, 9:51:49 AM1/21/21
to Wazuh mailing list
Hello
i have problem in wazuh manager 4.0.3 with agent 4.0.3 with trigger " Login failed for user" for sql server 2016
All events are registered  correctly in archives.log but not sent email for this trigger. why? i have seen the rules with level=7 in "0440-ms_sqlserver_rules.xml"

eventRecordID":"105265","channel":"Application","computer":"PIPPO.deroma.local","severityValue":"AUDIT_FAILURE","message":"\"Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 172.16.15.15]\""},"eventdata":{"binary":"184800000E0000000600000050004900500050004F000000070000006D00610073007400650072000000","data":"sa,  Reason: Password did not match that for the login provided.,  [CLIENT: 172.16.15.15]"}}}

Fabio Miotti

unread,
Jan 21, 2021, 2:24:50 PM1/21/21
to Wazuh mailing list
launching   /var/ossec/bin/ossec-logtest  -v exit this screen:
**Phase 3: Completed filtering (rules).
       Rule id: '2501'
       Level: '5'
       Description: 'syslog: User authentication failure.'
**Alert to be generated.

it's wrong the rule associated. how to solve?

Fabio Miotti

unread,
Jan 24, 2021, 6:01:10 AM1/24/21
to Wazuh mailing list
hello anyone can help me for this problem about failed login in SQL SERVER?
i cannot receive the email
Reply all
Reply to author
Forward
0 new messages