ECA_REQUEST_DENIED¶
Description¶
This event is fired only when ECA plugin perform authentication and
ECA could not verify the user credential the validity of the
credential. Consequently this means the event fired after the client
did perform NTLMSSP prototocol (after client sends
NTLMSSP_AUTHENTICATE), and before ECA response of HTTP 401. This event
is not fired when ECA responds with NTLMSSP_CHALLENGE as this is part
of NTLM authentication, and also not fired when the ECA try to
initiate NTLM authentication in which the client has not send the
credential yet..
Examples¶
when ECA_REQUEST_DENIED {
log local0. "username: [ECA::username]"
log local0. "domainname: [ECA::domainname]"
log local0. "hostname: [ECA::client_machine_name]"
log local0. "status: [ECA::status]"
}