Hi Graciela,
For some reason it looks like SSHD does not generate the sshd_login_failed_limit in 10.4 on either EX or SRX (just tried both).
What I ended up having to do to get this to work was match against the syslog output eg:
event-options {
policy SSH-AUTH-ERRORS {
events SYSTEM;
attributes-match {
system.message matches "Disconnecting: Too many password failures for .";
}
then {
raise-trap;
}
}
}
The above policy will trap after three failed SSH login attempts. If you want to trap after each attempted login instead, match against the string "Failed password for" instead.
To log failed logins via J-Web, just set events to web_auth_fail - this should trigger after each login attempt.
Hope this helps