ACS 4.x and Regular Expressions

clausonna · ‎02-15-2007

Hi folks.

While looking at the "Failed Authentication" report I have a log entry that occurs so frequently that it blocks out 'real' authentication failures. The log entry always includes the keywords "host/" (no quotes).

The ACS filter allows you to -include- only the log entries that match the RegEx expression, but -excluding- them doesn't seem as easy.

Any RegEx experts care to take a stab at an exclusion filter?

And yes, I know the better option is to stop the log entry from occuring in the first place, and/or export the reports as CSV and then filter the results in a more suitable application. Better yet, use aaa-reports from Extrati. I wanted to rule out the RegEx option first.

I've googled for "RegEx exclude" and most of the results require an intermediate-to-expert level knowledge of RegEx, and my experience begins and ends with '*' wildcards.

Thanks in advance.

thomas.chen · ‎02-21-2007

You can use ACS to filter CSV log reports. When you select a report type from the available reports types list, a report history (log) files list of the selected report type appears. After you select a specific CSV log file, and its contents appear, you can specify the filtering criteria. The filtering criteria is applied on the original log file, and only rows that match the criteria appear. Refer URL for more info

http://cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a00805e8785.html#wp598735

darpotter · ‎02-22-2007

FWIW aaa-reports! has a pre-filter feature on log import so you can dump unwanted rows as you import.

Once imported you have all our canned reports and a GUI query builder for creating custom reports.

http://www.extraxi.com

bsiki · ‎06-06-2007

I have the same problem!!!

CSCsh04536 Bug Details

exclude characters using regular expression in the reports

Symptom:

When you enter regular expression [^test] in the reports, unable to exclude user test

Workaround:

Further Problem Description:

When you enter regular expression [^test] under the Reports and Activity after selecting the report unable to exclude user test

The document says you need to use [^0-9] so it excludes all 0-9,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/r.htm#wp582974

Premdeep Banga · ‎06-06-2007

Hi,

First, if you haven't configured/do not want Machine authentication, then you can stop them from occurring. These "host/" logs are due to machine authentication.

You can disable it from,

External User Databases > Windows Database > Configure > If PEAP or EAP-TLS machine authentication check box is checked, un-check it.

Regards,

Prem

clausonna · ‎06-06-2007

Hi Prem.

Thanks for the reply. The "enable PEAP / EAP-TLS Machine Authentication" setting is already un-checked, however the client IS configured for machine auth. The error message in the "Failed Attempts" log says "Machine authentication is not permitted".

We're doing PEAP with user auth (not machine auth) for our wireless users (WinXP SP2), but there is no Active Directory Group Policy for wireless users, so I can't make changes en masse to the wireless config. (Well, there is, but your AD domain needs to be Windows 2003 Native, and NOT hybrid (e.g. with any Win2000 Domain Servers - all of your DC's need to be Win2k3)) When they manually config'd the wireless clients the desktop group erronously left the 'authenticate as a machine' option checked in the wireless profile. I have 1000+ users configured at this point, so going back and manually fixing isn't an option. I have to wait for AD to be upgraded to Native mode (6+ months.)

This is why I was pursuing the RegEx filtering in ACS, but it seems that the only option is to export the ACS logs and then apply a filter.

Any other workarounds would be greatly appreciated.