I'm facing two issues because of lack proper support for CIM compliance.
1) Field user
is not properly extracted. App provides two aliases for fields User_Name
and UserName
. But I found also fields: User
and AdminUser
.
2) At the moment I'm observing a lot of action = unknown
(on datamodel level) for the events with FailureReason="13017 Received TACACS+ packet from unknown Network Device or AAA Client". I think it should be marked with action = failure
.
Jul 31 14:59:44 HOSTNAME CISE_Failed_Attempts 0000109068 1 0 2019-07-31 14:59:44.687 +09:00 0000518034 5406 NOTICE Failed-Attempt: TACACS+ Request dropped, ConfigVersionId=1054, Device IP Address=dead::beef, Device Port=58388, DestinationIPAddress=dead:beef::2, DestinationPort=49, Protocol=Tacacs, FailureReason=13017 Received TACACS+ packet from unknown Network Device or AAA Client, Step=13017,