All Apps and Add-ons

"Device Port" and "Port" incorrectly extracted in CSCOacs_Failed_Attempts type messages in TA for Cisco ACS

pvarelab
Engager

The "Device Port" and "Port" fields are incorrectly extracted in messages of the CSCOacs_Failed_Attempts kind in the Technology Add-on for Cisco Secure Access Control Server (ACS).

I have been able to solve it by adding the following to props.conf:

 

EXTRACT-acs_device_port = ,\s+Device\s+Port=(?<Device_Port>[^,]+)
EXTRACT-acs_port = ,\s+Port=(?<Port>[^,]+)

 

Has anyone had the same problem? Any other ideas?

@dshpritzCould you see if this fix could be included in a future versión of the App, please? Thanks!

Labels (2)
1 Solution

dshpritz
SplunkTrust
SplunkTrust

Added and uploaded to Splunkbase. Not sure how soon it will be visible.

View solution in original post

0 Karma

dshpritz
SplunkTrust
SplunkTrust

I added an issue to the github repo to cover this:

https://github.com/automine/TA-cisco_acs/issues/1

 

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Added and uploaded to Splunkbase. Not sure how soon it will be visible.

View solution in original post

0 Karma

pvarelab
Engager

It's already visible. Many thanks!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!