Unsolved
This post is more than 5 years old
59 Posts
0
5227
October 21st, 2013 08:00
VNX Event code 0x4640 - Warning Audit Log entry
The event log of our VNX shows the following event. The event happens every hour.
Date:2013-10-07
Time:07:37:42
Event Code:0x4640
Description:Access is denied called by 'sysadmin'. Application Accessed: ManagementServer. Result: Failure.
Subsystem:CKM00123xxxxxx
Device:N/A
SP:N/A
Host:SPA
Source:N/A
Category:N/A
Log:Application
Sense Key:N/A
Ext Code1:N/A
Ext Code2:N/A
Type:Warning
I assume this event should only appear if an logon attempt fails because of wrong/unknown user name or incorrect password entry. Is this something VNX internal or is the system bing scanned from elsewhere?
Any thoughts are appreciated.
Thanks
Dieter
0 events found
No Events found!
umichklewis
3 Apprentice
•
1.2K Posts
0
October 21st, 2013 11:00
Do you have any monitoring, reporting or performance tools setup in the environment? I'm thinking VNX M&R, ProSphere, Data Protection Advisor, etc.?
Mendocino
59 Posts
0
October 22nd, 2013 02:00
Yes, ProSphere is in place.
umichklewis
3 Apprentice
•
1.2K Posts
0
October 22nd, 2013 09:00
ProSphere and similar EMC tools can be configured to discover your VNX, then poll it for alerts and changes. Have you checked your Discovery Jobs in Prosphere? See if you have the hostname or IP entered for the VNX control station. Go to Credentials and make sure you have the correct username/password combination.
If Prosphere checks out, see if you have another tools, such as SolarWinds or another SMI-S tool configured to scan the VNX as well. It might even be an intrusion detection or security hardening tool, such as Retina or Nessus. Security vendors update their login tests to check the usernames of well-known products. EMC has been using "sysadmin" for quite a while now - there's always a chance this is a scan.
Let us know if that helps!
Karl
Mendocino
59 Posts
0
October 23rd, 2013 23:00
Many Thanks.
Let me check if and how ProSphere is configured. I'll give feedback.
Dieter
Mendocino
59 Posts
0
October 25th, 2013 04:00
We do have ProSphere in our environment we checked if this system is configured. As this system is currently not in production yet, it isn't configured in ProSphere for discovery. ProSphere would use an account "appadmin" rather than "sysadmin".
To my knowledge there are no other tools in use. I assume that it could come from a security scanner because the error message appears every hour.
I just want to make sure that this error code is not triggered by any "internal" event and can be used as a good indicator that someone is trying to get access to the system.
Thanks again,
Dieter