Sample log-
Cisco ACS Authentication Failed
Nov 3 08:21:13 REL-DC-MSTCRD-ACS CSCOacs_Failed_Attempts 0001982755 2 0 2017-11-03 08:21:13.484 +05:30 0038659009 5401 NOTICE Failed-Attempt:
Authentication failed, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=53, Device IP Address=10.150.0.5, Device Port=44041,
DestinationIPAddress=172.20.1.200, DestinationPort=49, UserName=mvparam, Protocol=Tacacs, RequestLatency=141, Type=Authentication, Action=Login,
Privilege-Level=15, Authen-Type=ASCII, Service=Enable, User=rajul, Port=39, Remote-Address=172.20.1.152, UserName=rajul,
AcsSessionID=REL-DC-MSTCRD-ACS/278522990/2009452, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII,
SelectedAccessService=IMC-Access, IdentityGroup=IdentityGroup:All Groups:IMC-L2G, FailureReason=22004 , Step=13013 , Step=15008 , Step=15004 ,
Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=13045 , Step=13015 , Step=13014 , Step=15037 , Step=15041 ,
Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22004
Query-index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed"
Stuck after this query, help to write rule please?
In case you want to take time in consideration as well to check for consecutive unsuccessful login attempts, either you can use timechar command or add bin command to the query as follows:
index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | bin _time span=5m| stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5
Hi
Can you please try this query ?
index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5
EDIT: Or may be below query because I don't know which is your source and destination IPs, you can change your source and destionation IP field in given query.
index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, "Device IP Address", UserName | where count > 5
Thanks,
Harshil