Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Missing details in MARS report received from ACS SA

One more problem keeps haunting me. It's again about a custom rule. The rule is configure to send email to designated people every time there's a failed authentication via VPN, namely when there are 3 failed attempts in a row. The reporting device is Cisco ACS SE and this device have "Failed authentication" log with the username named which failed to authentication. ACS SE is added to MARS and in case of the above said authentication failure the email gets sent but it doesn't contain the username. This is how this report looks like:

The following incident occurred on "pnmars"

Start time: Mon Sep 7 18:16:04 2009

End time: Mon Sep 7 18:16:13 2009

Fired Rule Id: 356264

Fired Rule: Failed VPN authentication attempts

Incident Id: 191658460

Incident Severity:yellow

Top 3 src-dest address pairs sorted by severity and count (showing 1 of 1):

1. 24.114.236.25 -> 192.168.13.1 Severity: yellow Count: 3

Top 3 src ip's address sorted by severity and count (showing 1 of 1):

1. 24.114.236.25 -> Severity: yellow Count: 3

Top 3 dest ip's address sorted by severity and count (showing 1 of 1):

1. 192.168.13.1 -> Severity: yellow Count: 3

Top 3 dest TCP/UDP ports sorted by severity and count (showing 0 of 0):

Top 3 event types sorted by severity and count (showing 1 of 1):

1. Secure ACS Auth failed: External DB user invalid or bad password Severity: yellow Count: 3

Top 3 reporting devices sorted by count (showing 1 of 1):

1. acs1 Count: 3

The question is there any else to be done to MARS to include the username in the report.

162
Views
0
Helpful
0
Replies
CreatePlease to create content