How Do I Know Whether an Intrusion Succeeded?

  • If you have enabled alarm notifications for intrusion detection, you will be notified immediately when an account is cracked or may be cracked.

  • You can also check whether attack IP addresses are blocked on the Detection page.

  • To further determine the details, perform the following steps:

    • Linux

      For Linux servers, you can view logs in /var/log/secure and /var/log/message directories, or run the last command to check whether there are abnormal login records.

    • Windows

      To view server login logs, perform the following steps:

      1. Open Control Panel.

      2. Choose Administrative Tools > Event Viewer. The Event Viewer page is displayed.

      3. In the navigation tree on the left, choose Windows Logs > Security. The Security page is displayed.

      4. In the navigation tree on the right, choose Security > Filter Current Log. The Filter Current Log dialog box is displayed.

      5. On the Filter tab, locate the <All Event IDs>.

      6. Enter the login event ID and click OK to filter the target login events.

        • 4624: ID of successful login events

        • 4625: ID of failed login events