Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

MARS reporting - by user

Hello. I'm struggling to create a report that will show me failed login usernames from Active Dir (Win2K). I can create a report that shows a nice pie graph of 10 users locked their accounts, but there is no place in the report that tells me which 10 users? I can click on the incidents tab every day and see which users have failed attempts, but it would be nice to have report showing the same user has 20 incorrect logins per day etc... Any help would be greatly appreciated.


Re: MARS reporting - by user

The tricky part about what you're trying to do is figuring out which event types to include in the query. CSMARS sometimes uses some strange event types. There are even a few that are EXACTLY the same except for the case of a single letter. Otherwise, what you're trying to do is easy. Let's assume you know the event type is "Failed login attempt with invalid username or password". Use a query "results format" of "Reported Users Ranked by Sessions". Change the "events" criteria to report on the event above only. Run the query.

CreatePlease to create content