Hi in my logs, my MAC addresses are already extracted properly to a field called EndPointMACAddress and I created a field alias called MAC_Address
excerpt of raw log
EndPointMACAddress=F4-0B-93-8F-D8-0E, ISEPolicySetName=Default, AllowedProtocolMatchedRule=LN-WLAN-PEAP
I cant seem to get the lookup to work
my search is:
eventtype=cisco-ise MESSAGE_CLASS=Passed-Authentication OR MESSAGE_CLASS=Failed-Attempt MESSAGE_TEXT="Authentication failed" | maclookup | Table User EndPointMACAddress Company OUI
thanks
... View more