The "Device Port" and "Port" fields are incorrectly extracted in messages of the CSCOacs_Failed_Attempts kind in the Technology Add-on for Cisco Secure Access Control Server (ACS).
I have been able to solve it by adding the following to props.conf:
EXTRACT-acs_device_port = ,\s+Device\s+Port=(?<Device_Port>[^,]+)
EXTRACT-acs_port = ,\s+Port=(?<Port>[^,]+)
Has anyone had the same problem? Any other ideas?
@dshpritzCould you see if this fix could be included in a future versión of the App, please? Thanks!
Added and uploaded to Splunkbase. Not sure how soon it will be visible.
View solution in original post
I added an issue to the github repo to cover this:
It's already visible. Many thanks!