Solved: Re: "Device Port" and "Port" incorrectly extracted...

pvarelab · ‎03-03-2021

The "Device Port" and "Port" fields are incorrectly extracted in messages of the CSCOacs_Failed_Attempts kind in the Technology Add-on for Cisco Secure Access Control Server (ACS).

I have been able to solve it by adding the following to props.conf:

EXTRACT-acs_device_port = ,\s+Device\s+Port=(?<Device_Port>[^,]+)
EXTRACT-acs_port = ,\s+Port=(?<Port>[^,]+)

Has anyone had the same problem? Any other ideas?

@dshpritzCould you see if this fix could be included in a future versión of the App, please? Thanks!

dshpritz · ‎03-03-2021

Added and uploaded to Splunkbase. Not sure how soon it will be visible.

View solution in original post

dshpritz · ‎03-03-2021

I added an issue to the github repo to cover this:

https://github.com/automine/TA-cisco_acs/issues/1

dshpritz · ‎03-03-2021

Added and uploaded to Splunkbase. Not sure how soon it will be visible.

pvarelab · ‎03-04-2021

It's already visible. Many thanks!

"Device Port" and "Port" incorrectly extracted in CSCOacs_Failed_Attempts type messages in TA for Cisco ACS

development

troubleshooting

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...