Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


ACS 4.x and Regular Expressions

Hi folks.

While looking at the "Failed Authentication" report I have a log entry that occurs so frequently that it blocks out 'real' authentication failures. The log entry always includes the keywords "host/" (no quotes).

The ACS filter allows you to -include- only the log entries that match the RegEx expression, but -excluding- them doesn't seem as easy.

Any RegEx experts care to take a stab at an exclusion filter?

And yes, I know the better option is to stop the log entry from occuring in the first place, and/or export the reports as CSV and then filter the results in a more suitable application. Better yet, use aaa-reports from Extrati. I wanted to rule out the RegEx option first.

I've googled for "RegEx exclude" and most of the results require an intermediate-to-expert level knowledge of RegEx, and my experience begins and ends with '*' wildcards.

Thanks in advance.


Re: ACS 4.x and Regular Expressions

You can use ACS to filter CSV log reports. When you select a report type from the available reports types list, a report history (log) files list of the selected report type appears. After you select a specific CSV log file, and its contents appear, you can specify the filtering criteria. The filtering criteria is applied on the original log file, and only rows that match the criteria appear. Refer URL for more info


Re: ACS 4.x and Regular Expressions

FWIW aaa-reports! has a pre-filter feature on log import so you can dump unwanted rows as you import.

Once imported you have all our canned reports and a GUI query builder for creating custom reports.

New Member

Re: ACS 4.x and Regular Expressions

I have the same problem!!!

CSCsh04536 Bug Details

exclude characters using regular expression in the reports


When you enter regular expression [^test] in the reports, unable to exclude user test


Further Problem Description:

When you enter regular expression [^test] under the Reports and Activity after selecting the report unable to exclude user test

The document says you need to use [^0-9] so it excludes all 0-9,

Re: ACS 4.x and Regular Expressions


First, if you haven't configured/do not want Machine authentication, then you can stop them from occurring. These "host/" logs are due to machine authentication.

You can disable it from,

External User Databases > Windows Database > Configure > If PEAP or EAP-TLS machine authentication check box is checked, un-check it.




Re: ACS 4.x and Regular Expressions

Hi Prem.

Thanks for the reply. The "enable PEAP / EAP-TLS Machine Authentication" setting is already un-checked, however the client IS configured for machine auth. The error message in the "Failed Attempts" log says "Machine authentication is not permitted".

We're doing PEAP with user auth (not machine auth) for our wireless users (WinXP SP2), but there is no Active Directory Group Policy for wireless users, so I can't make changes en masse to the wireless config. (Well, there is, but your AD domain needs to be Windows 2003 Native, and NOT hybrid (e.g. with any Win2000 Domain Servers - all of your DC's need to be Win2k3)) When they manually config'd the wireless clients the desktop group erronously left the 'authenticate as a machine' option checked in the wireless profile. I have 1000+ users configured at this point, so going back and manually fixing isn't an option. I have to wait for AD to be upgraded to Native mode (6+ months.)

This is why I was pursuing the RegEx filtering in ACS, but it seems that the only option is to export the ACS logs and then apply a filter.

Any other workarounds would be greatly appreciated.