Understanding Sonicwall Credential Auditor Event Logs
Description
Event Message
"Allowed a login attempt by a user whose password was found to have possibly been compromised."
What This Event Means
This event indicates that:
- A user successfully authenticated to the firewall or an associated service.
- The password used in the login attempt matches an entry in the Credential Auditor database.
- The system has identified the password as potentially compromised (e.g., exposed in previous data breaches).
- Despite the risk, the login was allowed, depending on current policy settings.
-
This event is generated for users authenticated through external authentication mechanisms (e.g. LDAP) when the supplied password is identified as compromised by the Credential Auditor database.
Note: This event does not indicate an active breach, but rather a high-risk condition.
To block the login of externally authenticated users with a potentially compromised password, please navigate to DEVICE | Users | Settings - Credential Auditor. Under DURING LOGIN, Enable "Block login of externally authenticated users with a compromised password"
Event Message
"Credential Auditor file download failed."
What This Event Means
- This event indicates that the firewall failed to download the Credential Auditor database required for identifying compromised credentials.
- The Credential Auditor feature relies on a periodically updated database. If the firewall cannot retrieve this file, the feature will not function as intended.
- The firewall is not registered on mysonicwall.com or is not In-Sync with mysonicwall.com license manager
For registering the SonicWall firewalls, refer to: Register firewall
For syncing licenses on the SonicWall firewall, refer to: Synchronize Licenses
Related Articles
not finding your answers?
