diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index 433bafb0a2b..aa50eaddf3b 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.32.6" + changes: + - description: Add missing event.category, event.type, and event.outcome for existing and new message codes to CISE_Passed_Authentications and CISE_Failed_Attempts pipelines. + type: enhancement + link: https://github.com/elastic/integrations/pull/18903 - version: "1.32.5" changes: - description: Remove top level note from docs diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log index b538e1d2c88..7a7d15cfee4 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log @@ -5,3 +5,35 @@ <181>Mar 2 09:04:59 cisco-ise-host CISE_Failed_Attempts 0000000581 1 0 2022-03-02 09:04:59.136 +00:00 0000075131 5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new, ConfigVersionId=1364, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testDevice1, AcsSessionID=cisco-ise-host/435083133/41, SelectedAccessService=Default Network Access, RequestLatency=16, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5440, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message="protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]", OpenSSLErrorStack= 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o, EndPointMACAddress=00-23-DF-00-00-01, ISEPolicySetName=Default, StepLatency=25=9051, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; }, <182>Apr 27 11:11:09 gg.hhh.iii.com CISE_Failed_Attempts 0000000169 1 0 2020-04-27 11:11:09.260369 +00:00 0000003928 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=93, Device IP Address=81.2.69.193, Device Port=16345, DestinationIPAddress=81.2.69.193, DestinationPort=1645, RadiusPacketType=AccessRequest, Protocol=Radius, RequestLatency=1, NetworkDeviceName=sw, User-Name=fernandGiancarl, NAS-IP-Address=81.2.69.193, NAS-Port=50115, Service-Type=Framed, Framed-IP-Address=81.2.69.193, Framed-MTU=1500, State=37CPMSessionID=0a222bc0000000d123e111f7\;28SessionID=abc12/178657019/44\;, Called-Station-ID=50-3D-E5-C4-05-8F, Calling-Station-ID=F0-DE-F1-94-65-9C, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/15, EAP-Key-Name=, acme-av-pair=service-type=Framed, acme-av-pair=audit-session-id=0a222bc0000000d123e111f7, UserName=fernandGiancarl, AcsSessionID=abc12/178657019/44, AuthenticationIdentityStore=, AuthenticationIdentityStore=AD1, AuthenticationMethod=x509_PKI, SelectedAccessService=EapChainining, UseCase=Eap Chaining, FailureReason=24492 Machine authentication against Active Directory has failed, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15004, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12149, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24432, Step=24412, Step=22056, Step=22058, Step=22061, Step=12529, Step=11520, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12219, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24433, Step=24492, Step=22059, Step=22062, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12109, Step=11504, Step=11003, SelectedAuthenticationIdentityStores=SCRAVEN, NetworkDeviceGroups=Location#All Locations#Wired_Lab, NetworkDeviceGroups=Device Type#All Device Types, ADDomain=lab4.com, EapTunnel=EAP-FAST, EapAuthentication=EAP-TLS, CPMSessionID=0a222bc0000000d123e111f7, EndPointMACAddress=92:09:00:00:00:01, EapChainingResult=User and machine both failed, GroupsOrAttributesProcessFailure=true, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Dot1X, IdentitySelectionMatchedRule=Default, Location=Location#All Locations#Wired_Lab, Device Type=Device Type#All Device Types, Response={RadiusPacketType=AccessReject; } <181>Mar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076157 2 1 ConfigVersionId=1567, FailureReason=20977 Subject not found in the applicable identity store(s), UserType=NON_TEST, UserName=TEST_USER, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=19, Step=5418, +<181>Mar 11 10:20:42 host003 CISE_Failed_Attempts 1000100000 1 0 2026-03-11 10:20:42.937 +00:00 1000100000 5401 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=77, Device IP Address=192.0.2.40, Device Port=40660, DestinationIPAddress=198.51.100.30, DestinationPort=49, UserName=user03, Protocol=Tacacs, RequestLatency=16, NetworkDeviceName=device003, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=user03, Port=0, Remote-Address=203.0.113.50, NetworkDeviceProfileId=33333333-4444-5555-6666-888888888888, AcsSessionID=host003/333333333/5555555, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Device Admin, FailureReason=22056 Subject not found in the applicable identity store(s), Step=13013, Step=15049, Step=15008, +<181>Mar 15 10:30:00 host004 CISE_Failed_Attempts 1000100001 1 0 2022-03-15 10:30:00.100 +00:00 1000200001 5402 NOTICE Device-Administration: Command Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40661, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=12, NetworkDeviceName=device004, Type=Authorization, Action=Command, Privilege-Level=15, Authen-Type=ASCII, Service=Shell, User=user04, Port=tty1, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666666, SelectedAccessService=Default Device Admin, FailureReason=15036 Mandatory Attribute is not configured, Step=13005, Step=15049, Step=15008, +<181>Mar 15 10:31:00 host004 CISE_Failed_Attempts 1000100002 1 0 2022-03-15 10:31:00.200 +00:00 1000200002 5403 NOTICE Device-Administration: Session Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40662, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=11, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty2, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666667, SelectedAccessService=Default Device Admin, FailureReason=15004 Authorization Policy not found, Step=13005, Step=15049, Step=15008, +<181>Mar 15 10:32:00 host004 CISE_Failed_Attempts 1000100003 1 0 2022-03-15 10:32:00.300 +00:00 1000200003 5406 NOTICE Failed-Attempt: TACACS+ Request dropped, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40663, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=5, NetworkDeviceName=device004, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=user04, Port=0, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666668, FailureReason=11007 Could not locate Network Device or AAA Client, Step=13001, Step=5406, +<181>Mar 15 10:33:00 host004 CISE_Failed_Attempts 1000100004 1 0 2022-03-15 10:33:00.400 +00:00 1000200004 5407 NOTICE Device-Administration: TACACS+ Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40664, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=9, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty3, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666669, SelectedAccessService=Default Device Admin, FailureReason=15006 Policy was not found, Step=13005, Step=15049, Step=15008, +<181>Mar 15 10:34:00 host004 CISE_Failed_Attempts 1000100005 1 0 2022-03-15 10:34:00.500 +00:00 1000200005 5408 NOTICE Device-Administration: Command Authorization encountered an error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40665, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=18, NetworkDeviceName=device004, Type=Authorization, Action=Command, Privilege-Level=15, Authen-Type=ASCII, Service=Shell, User=user04, Port=tty1, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666670, SelectedAccessService=Default Device Admin, FailureReason=13025 Internal error in authorization, Step=13005, Step=15049, Step=15008, +<181>Mar 15 10:35:00 host004 CISE_Failed_Attempts 1000100006 1 0 2022-03-15 10:35:00.600 +00:00 1000200006 5409 NOTICE Device-Administration: Session Authorization encountered an error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40666, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=14, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty4, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666671, SelectedAccessService=Default Device Admin, FailureReason=13025 Internal error in authorization, Step=13005, Step=15049, Step=15008, +<181>Mar 15 10:36:00 host004 CISE_Failed_Attempts 1000100007 1 0 2022-03-15 10:36:00.700 +00:00 1000200007 5410 NOTICE Device-Administration: TACACS+ Authorization encountered an error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40667, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=20, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty5, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666672, SelectedAccessService=Default Device Admin, FailureReason=13025 Internal error in authorization, Step=13005, Step=15049, Step=15008, +<181>Mar 15 10:37:00 host004 CISE_Failed_Attempts 1000100008 1 0 2022-03-15 10:37:00.800 +00:00 1000200008 5412 NOTICE Device-Administration: TACACS+ authentication request ended with error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40668, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=22, NetworkDeviceName=device004, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=user04, Port=0, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666673, SelectedAccessService=Default Device Admin, FailureReason=13010 TACACS+ server error, Step=13001, Step=13013, Step=5412, +<181>Mar 15 10:38:00 host004 CISE_Failed_Attempts 1000100009 1 0 2022-03-15 10:38:00.900 +00:00 1000200009 5413 NOTICE RADIUS: Accounting-Request dropped, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40669, DestinationIPAddress=198.51.100.32, DestinationPort=1813, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=5, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-55, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666674, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=5413, +<181>Mar 15 10:39:00 host004 CISE_Failed_Attempts 1000100010 1 0 2022-03-15 10:39:00.000 +00:00 1000200010 5414 NOTICE Device-Administration: TACACS+ accounting has failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40670, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=8, NetworkDeviceName=device004, Type=Accounting, Action=Stop, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty6, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666675, FailureReason=13010 TACACS+ server error, Step=13001, Step=5414, +<181>Mar 15 10:40:00 host004 CISE_Failed_Attempts 1000100011 1 0 2022-03-15 10:40:00.100 +00:00 1000200011 5415 NOTICE Failed-Attempt: Change password failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40671, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=6, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-66, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666676, FailureReason=22040 Wrong password, Step=11001, Step=11017, Step=5415, +<181>Mar 15 10:41:00 host004 CISE_Failed_Attempts 1000100012 1 0 2022-03-15 10:41:00.200 +00:00 1000200012 5416 NOTICE Failed-Attempt: RADIUS PAP session cleaned up, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40672, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=7, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-77, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666677, RequestLatency=30, Step=11001, Step=11017, Step=5416, +<181>Mar 15 10:42:00 host004 CISE_Failed_Attempts 1000100013 1 0 2022-03-15 10:42:00.300 +00:00 1000200013 5417 NOTICE Failed-Attempt: Dynamic Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40673, DestinationIPAddress=198.51.100.32, DestinationPort=3799, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=8, Calling-Station-ID=00-11-22-33-44-88, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666678, RequestLatency=25, FailureReason=11507 Dynamic Authorization failed, Step=11001, Step=11017, Step=5417, +<181>Mar 15 10:43:00 host004 CISE_Failed_Attempts 1000100014 1 0 2022-03-15 10:43:00.400 +00:00 1000200014 5419 NOTICE Failed-Attempt: DACL Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40674, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=9, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-99, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666679, RequestLatency=17, FailureReason=15044 DACL not found, Step=11001, Step=11017, Step=5419, +<181>Mar 15 10:44:00 host004 CISE_Failed_Attempts 1000100015 1 0 2022-03-15 10:44:00.500 +00:00 1000200015 5420 NOTICE Failed-Attempt: TrustSec Data Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40675, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.42, NAS-Port=10, NAS-Port-Type=Virtual, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666680, RequestLatency=45, FailureReason=12508 TrustSec data download failed, Step=11001, Step=11017, Step=5420, +<181>Mar 15 10:45:00 host004 CISE_Failed_Attempts 1000100016 1 0 2022-03-15 10:45:00.600 +00:00 1000200016 5421 NOTICE Failed-Attempt: TrustSec Peer Policy Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40676, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.42, NAS-Port=11, NAS-Port-Type=Virtual, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666681, RequestLatency=38, FailureReason=12520 TrustSec peer policy download failed, Step=11001, Step=11017, Step=5421, +<181>Mar 15 10:46:00 host004 CISE_Failed_Attempts 1000100017 1 0 2022-03-15 10:46:00.700 +00:00 1000200017 5422 NOTICE Failed-Attempt: Authorize-Only failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40677, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=12, Service-Type=Authorize Only, Calling-Station-ID=00-AA-BB-CC-DD-EE, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666682, RequestLatency=19, FailureReason=15006 Policy was not found, Step=11001, Step=11017, Step=5422, +<181>Mar 15 10:47:00 host004 CISE_Failed_Attempts 1000100018 1 0 2022-03-15 10:47:00.800 +00:00 1000200018 5423 NOTICE Failed-Attempt: Device Registration Web Authentication Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40678, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=13, Service-Type=Framed, Calling-Station-ID=00-AA-BB-CC-DD-FF, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666683, RequestLatency=31, FailureReason=86014 Device registration webauth failed, Step=11001, Step=11017, Step=5423, +<181>Mar 15 10:48:00 host004 CISE_Failed_Attempts 1000100019 1 0 2022-03-15 10:48:00.900 +00:00 1000200019 5434 NOTICE Failed-Attempt: SGA Peer Policy Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40679, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.42, NAS-Port=14, NAS-Port-Type=Virtual, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666684, RequestLatency=42, FailureReason=12525 SGA peer policy download failed, Step=11001, Step=11017, Step=5434, +<181>Mar 15 10:49:00 host004 CISE_Failed_Attempts 1000100020 1 0 2022-03-15 10:49:00.000 +00:00 1000200020 5436 NOTICE Failed-Attempt: Authorize-Only failed, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40680, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=15, Service-Type=Authorize Only, Calling-Station-ID=00-BB-CC-DD-EE-FF, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666685, RequestLatency=27, FailureReason=15006 Policy was not found, Step=11001, Step=11017, Step=5436, +<181>Mar 15 10:50:00 host004 CISE_Failed_Attempts 1000100021 1 0 2022-03-15 10:50:00.100 +00:00 1000200021 5437 NOTICE Failed-Attempt: Device Registration Web Authentication Failed, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40681, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=16, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-00, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666686, RequestLatency=33, FailureReason=86014 Device registration webauth failed, Step=11001, Step=11017, Step=5437, +<181>Mar 15 10:51:00 host004 CISE_Failed_Attempts 1000100022 1 0 2022-03-15 10:51:00.200 +00:00 1000200022 5438 NOTICE Failed-Attempt: Session was not found on this ISE node, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40682, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=17, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-11, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666687, RequestLatency=10, FailureReason=11508 Session not found on this ISE node, Step=11001, Step=11017, Step=5438, +<181>Mar 15 10:52:00 host004 CISE_Failed_Attempts 1000100023 1 0 2022-03-15 10:52:00.300 +00:00 1000200023 5439 NOTICE Failed-Attempt: Session does not belong to this ISE node, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40683, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=18, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-22, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666688, RequestLatency=13, FailureReason=11509 Session belongs to different ISE node, Step=11001, Step=11017, Step=5439, +<181>Mar 15 10:53:00 host004 CISE_Failed_Attempts 1000100024 1 0 2022-03-15 10:53:00.400 +00:00 1000200024 5441 NOTICE RADIUS: Endpoint started new session while previous session was being processed, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40684, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=19, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-33, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666689, RequestLatency=7, FailureReason=11017 RADIUS non-EAP dropped, Step=11001, Step=11017, Step=5441, +<181>Mar 15 10:54:00 host004 CISE_Failed_Attempts 1000100025 1 0 2022-03-15 10:54:00.500 +00:00 1000200025 5442 NOTICE RADIUS: Request dropped due to system overload, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40685, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=20, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-44, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666690, FailureReason=11019 Request dropped due to overload, Step=11001, Step=11017, Step=5442, +<181>Mar 15 10:55:00 host004 CISE_Failed_Attempts 1000100026 1 0 2022-03-15 10:55:00.600 +00:00 1000200026 5443 NOTICE RADIUS: Request dropped due to reaching EAP sessions limit, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40686, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user07, NAS-IP-Address=192.0.2.43, NAS-Port=21, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-55, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666691, FailureReason=11020 EAP sessions limit reached, Step=11001, Step=11117, Step=5443, +<181>Mar 15 10:56:00 host004 CISE_Failed_Attempts 1000100027 1 0 2022-03-15 10:56:00.700 +00:00 1000200027 5448 NOTICE Failed-Attempt: MDM Authentication failed, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40687, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user07, NAS-IP-Address=192.0.2.44, NAS-Port=22, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666692, RequestLatency=55, FailureReason=80003 MDM server returned error, Step=11001, Step=11017, Step=5448, +<181>Mar 15 10:57:00 host004 CISE_Failed_Attempts 1000100028 1 0 2022-03-15 10:57:00.800 +00:00 1000200028 5449 NOTICE RADIUS: Endpoint failed authentication of the same scenario several times and was rejected, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40688, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user07, NAS-IP-Address=192.0.2.44, NAS-Port=23, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666693, RequestLatency=15, FailureReason=11007 Could not locate Network Device or AAA Client, TotalFailedAttempts=6, TotalFailedTime=1200, Step=11001, Step=11017, Step=5449, +<181>Mar 15 10:58:00 host004 CISE_Failed_Attempts 1000100029 1 0 2022-03-15 10:58:00.900 +00:00 1000200029 5450 NOTICE Failed-Attempt: RADIUS DTLS handshake failed, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40689, DestinationIPAddress=198.51.100.34, DestinationPort=2083, Protocol=Radius, NetworkDeviceName=device007, User-Name=user07, NAS-IP-Address=192.0.2.44, NAS-Port=24, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-03, NAS-Port-Type=Wireless - IEEE 802.11, DTLSSupport=Yes, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666694, RequestLatency=60, FailureReason=12551 DTLS handshake failed, Step=11001, Step=11017, Step=5450, +<181>Mar 15 10:59:00 host004 CISE_Failed_Attempts 1000100030 1 0 2022-03-15 10:59:00.000 +00:00 1000200030 5451 NOTICE Failed-Attempt: Social Login failed, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40690, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user08, NAS-IP-Address=192.0.2.44, NAS-Port=25, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-04, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666695, RequestLatency=21, FailureReason=86017 Social login failed, PortalName=Social-Portal, Step=11001, Step=11017, Step=5451, +<181>Mar 15 11:00:00 host004 CISE_Failed_Attempts 1000100031 1 0 2022-03-15 11:00:00.100 +00:00 1000200031 5452 NOTICE Failed-Attempt: Social Login error, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40691, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user08, NAS-IP-Address=192.0.2.44, NAS-Port=26, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-05, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666696, RequestLatency=18, FailureReason=86018 Social login error, PortalName=Social-Portal, Step=11001, Step=11017, Step=5452, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json index b32cbcae560..bdd237a3e9a 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json @@ -93,6 +93,7 @@ "code": "5405", "kind": "event", "original": "<181>Mar 2 09:09:13 cisco-ise-host CISE_Failed_Attempts 0000075134 1 0 2022-03-02 09:09:13.790 +00:00 0000075201 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=1364, Device IP Address=81.2.69.193, Device Port=42946, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/47, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=11036, Step=5405, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "outcome": "failure", "sequence": 75201, "timezone": "+00:00", "type": [ @@ -279,6 +280,7 @@ "code": "5411", "kind": "event", "original": "<181>Mar 2 10:36:16 cisco-ise-host CISE_Failed_Attempts 0000075876 1 0 2022-03-02 10:36:16.136 +00:00 0000075943 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=1381, RadiusPacketType=Drop, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testnac1, AcsSessionID=cisco-ise-host/435083133/80, SelectedAccessService=Default Network Access, RequestLatency=13, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5411, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testnac1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccO4H8LguCt/kv_SLnrKRbOFQs9/f7Zi_nxHt1lhFP1qc, EndPointMACAddress=00-00-00-00-00-01, ISEPolicySetName=Default, StepLatency=25=120001, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "outcome": "failure", "sequence": 75943, "timezone": "+00:00", "type": [ @@ -365,11 +367,11 @@ "code": "5418", "kind": "event", "original": "<181>Mar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076158 1 0 2022-03-02 11:10:16.634 +00:00 0000076224 5418 NOTICE Guest: Guest Authentication Failed, ConfigVersionId=1397, FailureReason=22056 Subject not found in the applicable identity store(s), UserType=NON_GUEST, UserName=INVALID, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=18, Step=5418,", + "outcome": "failure", "sequence": 76224, "timezone": "+00:00", "type": [ - "info", - "end" + "info" ] }, "host": { @@ -505,6 +507,7 @@ "code": "5435", "kind": "event", "original": "<181>Mar 2 09:56:00 cisco-ise-host CISE_Failed_Attempts 0000075523 1 0 2022-03-02 09:56:00.597 +00:00 0000075590 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=1373, Device IP Address=81.2.69.193, Device Port=47053, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/64, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5435, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, TotalFailedAttempts=11, TotalFailedTime=2806, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "outcome": "failure", "sequence": 75590, "timezone": "+00:00", "type": [ @@ -692,6 +695,7 @@ "code": "5440", "kind": "event", "original": "<181>Mar 2 09:04:59 cisco-ise-host CISE_Failed_Attempts 0000000581 1 0 2022-03-02 09:04:59.136 +00:00 0000075131 5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new, ConfigVersionId=1364, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testDevice1, AcsSessionID=cisco-ise-host/435083133/41, SelectedAccessService=Default Network Access, RequestLatency=16, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5440, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o, EndPointMACAddress=00-23-DF-00-00-01, ISEPolicySetName=Default, StepLatency=25=9051, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; },", + "outcome": "failure", "sequence": 75131, "timezone": "+00:00", "type": [ @@ -1124,6 +1128,7 @@ "code": "5400", "kind": "event", "original": "<182>Apr 27 11:11:09 gg.hhh.iii.com CISE_Failed_Attempts 0000000169 1 0 2020-04-27 11:11:09.260369 +00:00 0000003928 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=93, Device IP Address=81.2.69.193, Device Port=16345, DestinationIPAddress=81.2.69.193, DestinationPort=1645, RadiusPacketType=AccessRequest, Protocol=Radius, RequestLatency=1, NetworkDeviceName=sw, User-Name=fernandGiancarl, NAS-IP-Address=81.2.69.193, NAS-Port=50115, Service-Type=Framed, Framed-IP-Address=81.2.69.193, Framed-MTU=1500, State=37CPMSessionID=0a222bc0000000d123e111f7\\;28SessionID=abc12/178657019/44\\;, Called-Station-ID=50-3D-E5-C4-05-8F, Calling-Station-ID=F0-DE-F1-94-65-9C, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/15, EAP-Key-Name=, acme-av-pair=service-type=Framed, acme-av-pair=audit-session-id=0a222bc0000000d123e111f7, UserName=fernandGiancarl, AcsSessionID=abc12/178657019/44, AuthenticationIdentityStore=, AuthenticationIdentityStore=AD1, AuthenticationMethod=x509_PKI, SelectedAccessService=EapChainining, UseCase=Eap Chaining, FailureReason=24492 Machine authentication against Active Directory has failed, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15004, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12149, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24432, Step=24412, Step=22056, Step=22058, Step=22061, Step=12529, Step=11520, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12219, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24433, Step=24492, Step=22059, Step=22062, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12109, Step=11504, Step=11003, SelectedAuthenticationIdentityStores=SCRAVEN, NetworkDeviceGroups=Location#All Locations#Wired_Lab, NetworkDeviceGroups=Device Type#All Device Types, ADDomain=lab4.com, EapTunnel=EAP-FAST, EapAuthentication=EAP-TLS, CPMSessionID=0a222bc0000000d123e111f7, EndPointMACAddress=92:09:00:00:00:01, EapChainingResult=User and machine both failed, GroupsOrAttributesProcessFailure=true, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Dot1X, IdentitySelectionMatchedRule=Default, Location=Location#All Locations#Wired_Lab, Device Type=Device Type#All Device Types, Response={RadiusPacketType=AccessReject; }", + "outcome": "failure", "sequence": 3928, "timezone": "+00:00", "type": [ @@ -1203,7 +1208,8 @@ }, "event": { "kind": "event", - "original": "<181>Mar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076157 2 1 ConfigVersionId=1567, FailureReason=20977 Subject not found in the applicable identity store(s), UserType=NON_TEST, UserName=TEST_USER, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=19, Step=5418," + "original": "<181>Mar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076157 2 1 ConfigVersionId=1567, FailureReason=20977 Subject not found in the applicable identity store(s), UserType=NON_TEST, UserName=TEST_USER, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=19, Step=5418,", + "outcome": "failure" }, "host": { "hostname": "cisco-ise-host" @@ -1236,6 +1242,3806 @@ "TEST_USER" ] } + }, + { + "@timestamp": "2026-03-11T10:20:42.937Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host003/333333333/5555555" + } + }, + "authentication": { + "method": "PAP_ASCII" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "22056 Subject not found in the applicable identity store(s)" + }, + "log_details": { + "Action": "Login", + "Authen-Type": "PAP", + "Port": "0", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.50", + "Service": "Login", + "Type": "Authentication", + "User": "user03" + }, + "message": { + "code": "5401", + "description": "Failed-Attempt: Authentication failed", + "id": "1000100000" + }, + "network": { + "device": { + "name": "device003", + "profile_id": "33333333-4444-5555-6666-888888888888" + } + }, + "request": { + "latency": 16 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13013", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.40", + "port": 40660 + }, + "destination": { + "ip": "198.51.100.30", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "authentication" + ], + "code": "5401", + "kind": "event", + "original": "<181>Mar 11 10:20:42 host003 CISE_Failed_Attempts 1000100000 1 0 2026-03-11 10:20:42.937 +00:00 1000100000 5401 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=77, Device IP Address=192.0.2.40, Device Port=40660, DestinationIPAddress=198.51.100.30, DestinationPort=49, UserName=user03, Protocol=Tacacs, RequestLatency=16, NetworkDeviceName=device003, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=user03, Port=0, Remote-Address=203.0.113.50, NetworkDeviceProfileId=33333333-4444-5555-6666-888888888888, AcsSessionID=host003/333333333/5555555, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Device Admin, FailureReason=22056 Subject not found in the applicable identity store(s), Step=13013, Step=15049, Step=15008,", + "outcome": "failure", + "sequence": 1000100000, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host003" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2026-03-11 10:20:42.937 +00:00 1000100000 5401 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=77, Device IP Address=192.0.2.40, Device Port=40660, DestinationIPAddress=198.51.100.30, DestinationPort=49, UserName=user03, Protocol=Tacacs, RequestLatency=16, NetworkDeviceName=device003, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=user03, Port=0, Remote-Address=203.0.113.50, NetworkDeviceProfileId=33333333-4444-5555-6666-888888888888, AcsSessionID=host003/333333333/5555555, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Device Admin, FailureReason=22056 Subject not found in the applicable identity store(s), Step=13013, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host003" + ], + "ip": [ + "198.51.100.30", + "192.0.2.40" + ], + "user": [ + "user03" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user03" + ] + } + }, + { + "@timestamp": "2022-03-15T10:30:00.100Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666666" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "15036 Mandatory Attribute is not configured" + }, + "log_details": { + "Action": "Command", + "Authen-Type": "ASCII", + "Port": "tty1", + "Privilege-Level": "15", + "Remote-Address": "203.0.113.51", + "Service": "Shell", + "Type": "Authorization", + "User": "user04" + }, + "message": { + "code": "5402", + "description": "Device-Administration: Command Authorization failed", + "id": "1000100001" + }, + "network": { + "device": { + "name": "device004", + "profile_id": "11111111-2222-3333-4444-555555555555" + } + }, + "request": { + "latency": 12 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13005", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.41", + "port": 40661 + }, + "destination": { + "ip": "198.51.100.31", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication", + "network" + ], + "code": "5402", + "kind": "event", + "original": "<181>Mar 15 10:30:00 host004 CISE_Failed_Attempts 1000100001 1 0 2022-03-15 10:30:00.100 +00:00 1000200001 5402 NOTICE Device-Administration: Command Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40661, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=12, NetworkDeviceName=device004, Type=Authorization, Action=Command, Privilege-Level=15, Authen-Type=ASCII, Service=Shell, User=user04, Port=tty1, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666666, SelectedAccessService=Default Device Admin, FailureReason=15036 Mandatory Attribute is not configured, Step=13005, Step=15049, Step=15008,", + "outcome": "failure", + "sequence": 1000200001, + "timezone": "+00:00", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:30:00.100 +00:00 1000200001 5402 NOTICE Device-Administration: Command Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40661, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=12, NetworkDeviceName=device004, Type=Authorization, Action=Command, Privilege-Level=15, Authen-Type=ASCII, Service=Shell, User=user04, Port=tty1, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666666, SelectedAccessService=Default Device Admin, FailureReason=15036 Mandatory Attribute is not configured, Step=13005, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "198.51.100.31", + "192.0.2.41" + ], + "user": [ + "user04" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user04" + ] + } + }, + { + "@timestamp": "2022-03-15T10:31:00.200Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666667" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "15004 Authorization Policy not found" + }, + "log_details": { + "Action": "Login", + "Authen-Type": "ASCII", + "Port": "tty2", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.51", + "Service": "Login", + "Type": "Authorization", + "User": "user04" + }, + "message": { + "code": "5403", + "description": "Device-Administration: Session Authorization failed", + "id": "1000100002" + }, + "network": { + "device": { + "name": "device004", + "profile_id": "11111111-2222-3333-4444-555555555555" + } + }, + "request": { + "latency": 11 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13005", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.41", + "port": 40662 + }, + "destination": { + "ip": "198.51.100.31", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication", + "network" + ], + "code": "5403", + "kind": "event", + "original": "<181>Mar 15 10:31:00 host004 CISE_Failed_Attempts 1000100002 1 0 2022-03-15 10:31:00.200 +00:00 1000200002 5403 NOTICE Device-Administration: Session Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40662, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=11, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty2, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666667, SelectedAccessService=Default Device Admin, FailureReason=15004 Authorization Policy not found, Step=13005, Step=15049, Step=15008,", + "outcome": "failure", + "sequence": 1000200002, + "timezone": "+00:00", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:31:00.200 +00:00 1000200002 5403 NOTICE Device-Administration: Session Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40662, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=11, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty2, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666667, SelectedAccessService=Default Device Admin, FailureReason=15004 Authorization Policy not found, Step=13005, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "198.51.100.31", + "192.0.2.41" + ], + "user": [ + "user04" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user04" + ] + } + }, + { + "@timestamp": "2022-03-15T10:32:00.300Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666668" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "11007 Could not locate Network Device or AAA Client" + }, + "log_details": { + "Action": "Login", + "Authen-Type": "PAP", + "Port": "0", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.51", + "Service": "Login", + "Type": "Authentication", + "User": "user04" + }, + "message": { + "code": "5406", + "description": "Failed-Attempt: TACACS+ Request dropped", + "id": "1000100003" + }, + "network": { + "device": { + "name": "device004", + "profile_id": "11111111-2222-3333-4444-555555555555" + } + }, + "request": { + "latency": 5 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": [ + "13001", + "5406" + ] + } + }, + "client": { + "ip": "192.0.2.41", + "port": 40663 + }, + "destination": { + "ip": "198.51.100.31", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5406", + "kind": "event", + "original": "<181>Mar 15 10:32:00 host004 CISE_Failed_Attempts 1000100003 1 0 2022-03-15 10:32:00.300 +00:00 1000200003 5406 NOTICE Failed-Attempt: TACACS+ Request dropped, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40663, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=5, NetworkDeviceName=device004, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=user04, Port=0, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666668, FailureReason=11007 Could not locate Network Device or AAA Client, Step=13001, Step=5406,", + "outcome": "failure", + "sequence": 1000200003, + "timezone": "+00:00", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:32:00.300 +00:00 1000200003 5406 NOTICE Failed-Attempt: TACACS+ Request dropped, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40663, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=5, NetworkDeviceName=device004, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=user04, Port=0, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666668, FailureReason=11007 Could not locate Network Device or AAA Client, Step=13001, Step=5406,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "198.51.100.31", + "192.0.2.41" + ], + "user": [ + "user04" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user04" + ] + } + }, + { + "@timestamp": "2022-03-15T10:33:00.400Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666669" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "15006 Policy was not found" + }, + "log_details": { + "Action": "Login", + "Authen-Type": "ASCII", + "Port": "tty3", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.51", + "Service": "Login", + "Type": "Authorization", + "User": "user04" + }, + "message": { + "code": "5407", + "description": "Device-Administration: TACACS+ Authorization failed", + "id": "1000100004" + }, + "network": { + "device": { + "name": "device004", + "profile_id": "11111111-2222-3333-4444-555555555555" + } + }, + "request": { + "latency": 9 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13005", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.41", + "port": 40664 + }, + "destination": { + "ip": "198.51.100.31", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication", + "network" + ], + "code": "5407", + "kind": "event", + "original": "<181>Mar 15 10:33:00 host004 CISE_Failed_Attempts 1000100004 1 0 2022-03-15 10:33:00.400 +00:00 1000200004 5407 NOTICE Device-Administration: TACACS+ Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40664, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=9, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty3, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666669, SelectedAccessService=Default Device Admin, FailureReason=15006 Policy was not found, Step=13005, Step=15049, Step=15008,", + "outcome": "failure", + "sequence": 1000200004, + "timezone": "+00:00", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:33:00.400 +00:00 1000200004 5407 NOTICE Device-Administration: TACACS+ Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40664, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=9, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty3, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666669, SelectedAccessService=Default Device Admin, FailureReason=15006 Policy was not found, Step=13005, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "198.51.100.31", + "192.0.2.41" + ], + "user": [ + "user04" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user04" + ] + } + }, + { + "@timestamp": "2022-03-15T10:34:00.500Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666670" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "13025 Internal error in authorization" + }, + "log_details": { + "Action": "Command", + "Authen-Type": "ASCII", + "Port": "tty1", + "Privilege-Level": "15", + "Remote-Address": "203.0.113.51", + "Service": "Shell", + "Type": "Authorization", + "User": "user04" + }, + "message": { + "code": "5408", + "description": "Device-Administration: Command Authorization encountered an error", + "id": "1000100005" + }, + "network": { + "device": { + "name": "device004", + "profile_id": "11111111-2222-3333-4444-555555555555" + } + }, + "request": { + "latency": 18 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13005", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.41", + "port": 40665 + }, + "destination": { + "ip": "198.51.100.31", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication", + "network" + ], + "code": "5408", + "kind": "event", + "original": "<181>Mar 15 10:34:00 host004 CISE_Failed_Attempts 1000100005 1 0 2022-03-15 10:34:00.500 +00:00 1000200005 5408 NOTICE Device-Administration: Command Authorization encountered an error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40665, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=18, NetworkDeviceName=device004, Type=Authorization, Action=Command, Privilege-Level=15, Authen-Type=ASCII, Service=Shell, User=user04, Port=tty1, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666670, SelectedAccessService=Default Device Admin, FailureReason=13025 Internal error in authorization, Step=13005, Step=15049, Step=15008,", + "outcome": "failure", + "sequence": 1000200005, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:34:00.500 +00:00 1000200005 5408 NOTICE Device-Administration: Command Authorization encountered an error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40665, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=18, NetworkDeviceName=device004, Type=Authorization, Action=Command, Privilege-Level=15, Authen-Type=ASCII, Service=Shell, User=user04, Port=tty1, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666670, SelectedAccessService=Default Device Admin, FailureReason=13025 Internal error in authorization, Step=13005, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "198.51.100.31", + "192.0.2.41" + ], + "user": [ + "user04" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user04" + ] + } + }, + { + "@timestamp": "2022-03-15T10:35:00.600Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666671" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "13025 Internal error in authorization" + }, + "log_details": { + "Action": "Login", + "Authen-Type": "ASCII", + "Port": "tty4", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.51", + "Service": "Login", + "Type": "Authorization", + "User": "user04" + }, + "message": { + "code": "5409", + "description": "Device-Administration: Session Authorization encountered an error", + "id": "1000100006" + }, + "network": { + "device": { + "name": "device004", + "profile_id": "11111111-2222-3333-4444-555555555555" + } + }, + "request": { + "latency": 14 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13005", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.41", + "port": 40666 + }, + "destination": { + "ip": "198.51.100.31", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication", + "network" + ], + "code": "5409", + "kind": "event", + "original": "<181>Mar 15 10:35:00 host004 CISE_Failed_Attempts 1000100006 1 0 2022-03-15 10:35:00.600 +00:00 1000200006 5409 NOTICE Device-Administration: Session Authorization encountered an error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40666, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=14, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty4, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666671, SelectedAccessService=Default Device Admin, FailureReason=13025 Internal error in authorization, Step=13005, Step=15049, Step=15008,", + "outcome": "failure", + "sequence": 1000200006, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:35:00.600 +00:00 1000200006 5409 NOTICE Device-Administration: Session Authorization encountered an error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40666, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=14, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty4, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666671, SelectedAccessService=Default Device Admin, FailureReason=13025 Internal error in authorization, Step=13005, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "198.51.100.31", + "192.0.2.41" + ], + "user": [ + "user04" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user04" + ] + } + }, + { + "@timestamp": "2022-03-15T10:36:00.700Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666672" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "13025 Internal error in authorization" + }, + "log_details": { + "Action": "Login", + "Authen-Type": "ASCII", + "Port": "tty5", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.51", + "Service": "Login", + "Type": "Authorization", + "User": "user04" + }, + "message": { + "code": "5410", + "description": "Device-Administration: TACACS+ Authorization encountered an error", + "id": "1000100007" + }, + "network": { + "device": { + "name": "device004", + "profile_id": "11111111-2222-3333-4444-555555555555" + } + }, + "request": { + "latency": 20 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13005", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.41", + "port": 40667 + }, + "destination": { + "ip": "198.51.100.31", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication", + "network" + ], + "code": "5410", + "kind": "event", + "original": "<181>Mar 15 10:36:00 host004 CISE_Failed_Attempts 1000100007 1 0 2022-03-15 10:36:00.700 +00:00 1000200007 5410 NOTICE Device-Administration: TACACS+ Authorization encountered an error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40667, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=20, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty5, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666672, SelectedAccessService=Default Device Admin, FailureReason=13025 Internal error in authorization, Step=13005, Step=15049, Step=15008,", + "outcome": "failure", + "sequence": 1000200007, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:36:00.700 +00:00 1000200007 5410 NOTICE Device-Administration: TACACS+ Authorization encountered an error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40667, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=20, NetworkDeviceName=device004, Type=Authorization, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty5, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666672, SelectedAccessService=Default Device Admin, FailureReason=13025 Internal error in authorization, Step=13005, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "198.51.100.31", + "192.0.2.41" + ], + "user": [ + "user04" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user04" + ] + } + }, + { + "@timestamp": "2022-03-15T10:37:00.800Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666673" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "13010 TACACS+ server error" + }, + "log_details": { + "Action": "Login", + "Authen-Type": "PAP", + "Port": "0", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.51", + "Service": "Login", + "Type": "Authentication", + "User": "user04" + }, + "message": { + "code": "5412", + "description": "Device-Administration: TACACS+ authentication request ended with error", + "id": "1000100008" + }, + "network": { + "device": { + "name": "device004", + "profile_id": "11111111-2222-3333-4444-555555555555" + } + }, + "request": { + "latency": 22 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13001", + "13013", + "5412" + ] + } + }, + "client": { + "ip": "192.0.2.41", + "port": 40668 + }, + "destination": { + "ip": "198.51.100.31", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication" + ], + "code": "5412", + "kind": "event", + "original": "<181>Mar 15 10:37:00 host004 CISE_Failed_Attempts 1000100008 1 0 2022-03-15 10:37:00.800 +00:00 1000200008 5412 NOTICE Device-Administration: TACACS+ authentication request ended with error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40668, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=22, NetworkDeviceName=device004, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=user04, Port=0, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666673, SelectedAccessService=Default Device Admin, FailureReason=13010 TACACS+ server error, Step=13001, Step=13013, Step=5412,", + "outcome": "failure", + "sequence": 1000200008, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:37:00.800 +00:00 1000200008 5412 NOTICE Device-Administration: TACACS+ authentication request ended with error, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40668, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=22, NetworkDeviceName=device004, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=PAP, Service=Login, User=user04, Port=0, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666673, SelectedAccessService=Default Device Admin, FailureReason=13010 TACACS+ server error, Step=13001, Step=13013, Step=5412,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "198.51.100.31", + "192.0.2.41" + ], + "user": [ + "user04" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user04" + ] + } + }, + { + "@timestamp": "2022-03-15T10:38:00.900Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666674" + } + }, + "calling_station": { + "id": "00-11-22-33-44-55" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "11036 The Message-Authenticator RADIUS attribute is invalid" + }, + "message": { + "code": "5413", + "description": "RADIUS: Accounting-Request dropped", + "id": "1000100009" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 5, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5413" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40669 + }, + "destination": { + "ip": "198.51.100.32", + "port": 1813 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "radius", + "category": [ + "network" + ], + "code": "5413", + "kind": "event", + "original": "<181>Mar 15 10:38:00 host004 CISE_Failed_Attempts 1000100009 1 0 2022-03-15 10:38:00.900 +00:00 1000200009 5413 NOTICE RADIUS: Accounting-Request dropped, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40669, DestinationIPAddress=198.51.100.32, DestinationPort=1813, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=5, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-55, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666674, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=5413,", + "outcome": "failure", + "sequence": 1000200009, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:38:00.900 +00:00 1000200009 5413 NOTICE RADIUS: Accounting-Request dropped, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40669, DestinationIPAddress=198.51.100.32, DestinationPort=1813, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=5, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-55, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666674, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=5413,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "user05" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user05" + ] + } + }, + { + "@timestamp": "2022-03-15T10:39:00.000Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666675" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "13010 TACACS+ server error" + }, + "log_details": { + "Action": "Stop", + "Authen-Type": "ASCII", + "Port": "tty6", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.51", + "Service": "Login", + "Type": "Accounting", + "User": "user04" + }, + "message": { + "code": "5414", + "description": "Device-Administration: TACACS+ accounting has failed", + "id": "1000100010" + }, + "network": { + "device": { + "name": "device004", + "profile_id": "11111111-2222-3333-4444-555555555555" + } + }, + "request": { + "latency": 8 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": [ + "13001", + "5414" + ] + } + }, + "client": { + "ip": "192.0.2.41", + "port": 40670 + }, + "destination": { + "ip": "198.51.100.31", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "network" + ], + "code": "5414", + "kind": "event", + "original": "<181>Mar 15 10:39:00 host004 CISE_Failed_Attempts 1000100010 1 0 2022-03-15 10:39:00.000 +00:00 1000200010 5414 NOTICE Device-Administration: TACACS+ accounting has failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40670, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=8, NetworkDeviceName=device004, Type=Accounting, Action=Stop, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty6, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666675, FailureReason=13010 TACACS+ server error, Step=13001, Step=5414,", + "outcome": "failure", + "sequence": 1000200010, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:39:00.000 +00:00 1000200010 5414 NOTICE Device-Administration: TACACS+ accounting has failed, ConfigVersionId=77, Device IP Address=192.0.2.41, Device Port=40670, DestinationIPAddress=198.51.100.31, DestinationPort=49, UserName=user04, Protocol=Tacacs, RequestLatency=8, NetworkDeviceName=device004, Type=Accounting, Action=Stop, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user04, Port=tty6, Remote-Address=203.0.113.51, NetworkDeviceProfileId=11111111-2222-3333-4444-555555555555, AcsSessionID=host004/444444444/6666675, FailureReason=13010 TACACS+ server error, Step=13001, Step=5414,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "198.51.100.31", + "192.0.2.41" + ], + "user": [ + "user04" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user04" + ] + } + }, + { + "@timestamp": "2022-03-15T10:40:00.100Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666676" + } + }, + "calling_station": { + "id": "00-11-22-33-44-66" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "22040 Wrong password" + }, + "message": { + "code": "5415", + "description": "Failed-Attempt: Change password failed", + "id": "1000100011" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 6, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5415" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40671 + }, + "destination": { + "ip": "198.51.100.32", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "iam" + ], + "code": "5415", + "kind": "event", + "original": "<181>Mar 15 10:40:00 host004 CISE_Failed_Attempts 1000100011 1 0 2022-03-15 10:40:00.100 +00:00 1000200011 5415 NOTICE Failed-Attempt: Change password failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40671, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=6, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-66, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666676, FailureReason=22040 Wrong password, Step=11001, Step=11017, Step=5415,", + "outcome": "failure", + "sequence": 1000200011, + "timezone": "+00:00", + "type": [ + "user" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:40:00.100 +00:00 1000200011 5415 NOTICE Failed-Attempt: Change password failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40671, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=6, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-66, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666676, FailureReason=22040 Wrong password, Step=11001, Step=11017, Step=5415,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "user05" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user05" + ] + } + }, + { + "@timestamp": "2022-03-15T10:41:00.200Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666677" + } + }, + "calling_station": { + "id": "00-11-22-33-44-77" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "message": { + "code": "5416", + "description": "Failed-Attempt: RADIUS PAP session cleaned up", + "id": "1000100012" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 7, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "request": { + "latency": 30 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5416" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40672 + }, + "destination": { + "ip": "198.51.100.32", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5416", + "kind": "event", + "original": "<181>Mar 15 10:41:00 host004 CISE_Failed_Attempts 1000100012 1 0 2022-03-15 10:41:00.200 +00:00 1000200012 5416 NOTICE Failed-Attempt: RADIUS PAP session cleaned up, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40672, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=7, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-77, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666677, RequestLatency=30, Step=11001, Step=11017, Step=5416,", + "outcome": "failure", + "sequence": 1000200012, + "timezone": "+00:00", + "type": [ + "end" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:41:00.200 +00:00 1000200012 5416 NOTICE Failed-Attempt: RADIUS PAP session cleaned up, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40672, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=7, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-77, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666677, RequestLatency=30, Step=11001, Step=11017, Step=5416,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "user05" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user05" + ] + } + }, + { + "@timestamp": "2022-03-15T10:42:00.300Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666678" + } + }, + "calling_station": { + "id": "00-11-22-33-44-88" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "11507 Dynamic Authorization failed" + }, + "message": { + "code": "5417", + "description": "Failed-Attempt: Dynamic Authorization failed", + "id": "1000100013" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 8, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "request": { + "latency": 25 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": [ + "11001", + "11017", + "5417" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40673 + }, + "destination": { + "ip": "198.51.100.32", + "port": 3799 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5417", + "kind": "event", + "original": "<181>Mar 15 10:42:00 host004 CISE_Failed_Attempts 1000100013 1 0 2022-03-15 10:42:00.300 +00:00 1000200013 5417 NOTICE Failed-Attempt: Dynamic Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40673, DestinationIPAddress=198.51.100.32, DestinationPort=3799, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=8, Calling-Station-ID=00-11-22-33-44-88, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666678, RequestLatency=25, FailureReason=11507 Dynamic Authorization failed, Step=11001, Step=11017, Step=5417,", + "outcome": "failure", + "sequence": 1000200013, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:42:00.300 +00:00 1000200013 5417 NOTICE Failed-Attempt: Dynamic Authorization failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40673, DestinationIPAddress=198.51.100.32, DestinationPort=3799, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=8, Calling-Station-ID=00-11-22-33-44-88, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666678, RequestLatency=25, FailureReason=11507 Dynamic Authorization failed, Step=11001, Step=11017, Step=5417,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "user05" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user05" + ] + } + }, + { + "@timestamp": "2022-03-15T10:43:00.400Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666679" + } + }, + "calling_station": { + "id": "00-11-22-33-44-99" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "15044 DACL not found" + }, + "message": { + "code": "5419", + "description": "Failed-Attempt: DACL Download Failed", + "id": "1000100014" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 9, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "request": { + "latency": 17 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5419" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40674 + }, + "destination": { + "ip": "198.51.100.32", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5419", + "kind": "event", + "original": "<181>Mar 15 10:43:00 host004 CISE_Failed_Attempts 1000100014 1 0 2022-03-15 10:43:00.400 +00:00 1000200014 5419 NOTICE Failed-Attempt: DACL Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40674, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=9, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-99, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666679, RequestLatency=17, FailureReason=15044 DACL not found, Step=11001, Step=11017, Step=5419,", + "outcome": "failure", + "sequence": 1000200014, + "timezone": "+00:00", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:43:00.400 +00:00 1000200014 5419 NOTICE Failed-Attempt: DACL Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40674, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=9, Service-Type=Framed, Calling-Station-ID=00-11-22-33-44-99, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666679, RequestLatency=17, FailureReason=15044 DACL not found, Step=11001, Step=11017, Step=5419,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "user05" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user05" + ] + } + }, + { + "@timestamp": "2022-03-15T10:44:00.500Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666680" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "12508 TrustSec data download failed" + }, + "message": { + "code": "5420", + "description": "Failed-Attempt: TrustSec Data Download Failed", + "id": "1000100015" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 10, + "type": "Virtual" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "request": { + "latency": 45 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": [ + "11001", + "11017", + "5420" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40675 + }, + "destination": { + "ip": "198.51.100.32", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5420", + "kind": "event", + "original": "<181>Mar 15 10:44:00 host004 CISE_Failed_Attempts 1000100015 1 0 2022-03-15 10:44:00.500 +00:00 1000200015 5420 NOTICE Failed-Attempt: TrustSec Data Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40675, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.42, NAS-Port=10, NAS-Port-Type=Virtual, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666680, RequestLatency=45, FailureReason=12508 TrustSec data download failed, Step=11001, Step=11017, Step=5420,", + "outcome": "failure", + "sequence": 1000200015, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:44:00.500 +00:00 1000200015 5420 NOTICE Failed-Attempt: TrustSec Data Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40675, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.42, NAS-Port=10, NAS-Port-Type=Virtual, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666680, RequestLatency=45, FailureReason=12508 TrustSec data download failed, Step=11001, Step=11017, Step=5420,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "#CTSREQUEST#" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "#CTSREQUEST#" + ] + } + }, + { + "@timestamp": "2022-03-15T10:45:00.600Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666681" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "12520 TrustSec peer policy download failed" + }, + "message": { + "code": "5421", + "description": "Failed-Attempt: TrustSec Peer Policy Download Failed", + "id": "1000100016" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 11, + "type": "Virtual" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "request": { + "latency": 38 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": [ + "11001", + "11017", + "5421" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40676 + }, + "destination": { + "ip": "198.51.100.32", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5421", + "kind": "event", + "original": "<181>Mar 15 10:45:00 host004 CISE_Failed_Attempts 1000100016 1 0 2022-03-15 10:45:00.600 +00:00 1000200016 5421 NOTICE Failed-Attempt: TrustSec Peer Policy Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40676, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.42, NAS-Port=11, NAS-Port-Type=Virtual, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666681, RequestLatency=38, FailureReason=12520 TrustSec peer policy download failed, Step=11001, Step=11017, Step=5421,", + "outcome": "failure", + "sequence": 1000200016, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:45:00.600 +00:00 1000200016 5421 NOTICE Failed-Attempt: TrustSec Peer Policy Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40676, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.42, NAS-Port=11, NAS-Port-Type=Virtual, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666681, RequestLatency=38, FailureReason=12520 TrustSec peer policy download failed, Step=11001, Step=11017, Step=5421,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "#CTSREQUEST#" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "#CTSREQUEST#" + ] + } + }, + { + "@timestamp": "2022-03-15T10:46:00.700Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666682" + } + }, + "calling_station": { + "id": "00-AA-BB-CC-DD-EE" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "15006 Policy was not found" + }, + "message": { + "code": "5422", + "description": "Failed-Attempt: Authorize-Only failed", + "id": "1000100017" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 12, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "request": { + "latency": 19 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Authorize Only" + }, + "step": [ + "11001", + "11017", + "5422" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40677 + }, + "destination": { + "ip": "198.51.100.32", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5422", + "kind": "event", + "original": "<181>Mar 15 10:46:00 host004 CISE_Failed_Attempts 1000100017 1 0 2022-03-15 10:46:00.700 +00:00 1000200017 5422 NOTICE Failed-Attempt: Authorize-Only failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40677, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=12, Service-Type=Authorize Only, Calling-Station-ID=00-AA-BB-CC-DD-EE, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666682, RequestLatency=19, FailureReason=15006 Policy was not found, Step=11001, Step=11017, Step=5422,", + "outcome": "failure", + "sequence": 1000200017, + "timezone": "+00:00", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:46:00.700 +00:00 1000200017 5422 NOTICE Failed-Attempt: Authorize-Only failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40677, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=12, Service-Type=Authorize Only, Calling-Station-ID=00-AA-BB-CC-DD-EE, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666682, RequestLatency=19, FailureReason=15006 Policy was not found, Step=11001, Step=11017, Step=5422,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "user05" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user05" + ] + } + }, + { + "@timestamp": "2022-03-15T10:47:00.800Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666683" + } + }, + "calling_station": { + "id": "00-AA-BB-CC-DD-FF" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "86014 Device registration webauth failed" + }, + "message": { + "code": "5423", + "description": "Failed-Attempt: Device Registration Web Authentication Failed", + "id": "1000100018" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 13, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "request": { + "latency": 31 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5423" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40678 + }, + "destination": { + "ip": "198.51.100.32", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "authentication" + ], + "code": "5423", + "kind": "event", + "original": "<181>Mar 15 10:47:00 host004 CISE_Failed_Attempts 1000100018 1 0 2022-03-15 10:47:00.800 +00:00 1000200018 5423 NOTICE Failed-Attempt: Device Registration Web Authentication Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40678, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=13, Service-Type=Framed, Calling-Station-ID=00-AA-BB-CC-DD-FF, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666683, RequestLatency=31, FailureReason=86014 Device registration webauth failed, Step=11001, Step=11017, Step=5423,", + "outcome": "failure", + "sequence": 1000200018, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:47:00.800 +00:00 1000200018 5423 NOTICE Failed-Attempt: Device Registration Web Authentication Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40678, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=user05, NAS-IP-Address=192.0.2.42, NAS-Port=13, Service-Type=Framed, Calling-Station-ID=00-AA-BB-CC-DD-FF, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666683, RequestLatency=31, FailureReason=86014 Device registration webauth failed, Step=11001, Step=11017, Step=5423,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "user05" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user05" + ] + } + }, + { + "@timestamp": "2022-03-15T10:48:00.900Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666684" + } + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "12525 SGA peer policy download failed" + }, + "message": { + "code": "5434", + "description": "Failed-Attempt: SGA Peer Policy Download Failed", + "id": "1000100019" + }, + "nas": { + "ip": "192.0.2.42", + "port": { + "number": 14, + "type": "Virtual" + } + }, + "network": { + "device": { + "name": "device005", + "profile_id": "22222222-3333-4444-5555-666666666666" + } + }, + "request": { + "latency": 42 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": [ + "11001", + "11017", + "5434" + ] + } + }, + "client": { + "ip": "192.0.2.42", + "port": 40679 + }, + "destination": { + "ip": "198.51.100.32", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5434", + "kind": "event", + "original": "<181>Mar 15 10:48:00 host004 CISE_Failed_Attempts 1000100019 1 0 2022-03-15 10:48:00.900 +00:00 1000200019 5434 NOTICE Failed-Attempt: SGA Peer Policy Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40679, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.42, NAS-Port=14, NAS-Port-Type=Virtual, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666684, RequestLatency=42, FailureReason=12525 SGA peer policy download failed, Step=11001, Step=11017, Step=5434,", + "outcome": "failure", + "sequence": 1000200019, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:48:00.900 +00:00 1000200019 5434 NOTICE Failed-Attempt: SGA Peer Policy Download Failed, ConfigVersionId=77, Device IP Address=192.0.2.42, Device Port=40679, DestinationIPAddress=198.51.100.32, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device005, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.42, NAS-Port=14, NAS-Port-Type=Virtual, NetworkDeviceProfileId=22222222-3333-4444-5555-666666666666, AcsSessionID=host004/444444444/6666684, RequestLatency=42, FailureReason=12525 SGA peer policy download failed, Step=11001, Step=11017, Step=5434,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.42", + "198.51.100.32" + ], + "user": [ + "#CTSREQUEST#" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "#CTSREQUEST#" + ] + } + }, + { + "@timestamp": "2022-03-15T10:49:00.000Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666685" + } + }, + "calling_station": { + "id": "00-BB-CC-DD-EE-FF" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "15006 Policy was not found" + }, + "message": { + "code": "5436", + "description": "Failed-Attempt: Authorize-Only failed", + "id": "1000100020" + }, + "nas": { + "ip": "192.0.2.43", + "port": { + "number": 15, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device006", + "profile_id": "33333333-4444-5555-6666-777777777777" + } + }, + "request": { + "latency": 27 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Authorize Only" + }, + "step": [ + "11001", + "11017", + "5436" + ] + } + }, + "client": { + "ip": "192.0.2.43", + "port": 40680 + }, + "destination": { + "ip": "198.51.100.33", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5436", + "kind": "event", + "original": "<181>Mar 15 10:49:00 host004 CISE_Failed_Attempts 1000100020 1 0 2022-03-15 10:49:00.000 +00:00 1000200020 5436 NOTICE Failed-Attempt: Authorize-Only failed, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40680, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=15, Service-Type=Authorize Only, Calling-Station-ID=00-BB-CC-DD-EE-FF, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666685, RequestLatency=27, FailureReason=15006 Policy was not found, Step=11001, Step=11017, Step=5436,", + "outcome": "failure", + "sequence": 1000200020, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:49:00.000 +00:00 1000200020 5436 NOTICE Failed-Attempt: Authorize-Only failed, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40680, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=15, Service-Type=Authorize Only, Calling-Station-ID=00-BB-CC-DD-EE-FF, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666685, RequestLatency=27, FailureReason=15006 Policy was not found, Step=11001, Step=11017, Step=5436,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.43", + "198.51.100.33" + ], + "user": [ + "user06" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user06" + ] + } + }, + { + "@timestamp": "2022-03-15T10:50:00.100Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666686" + } + }, + "calling_station": { + "id": "00-BB-CC-DD-EE-00" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "86014 Device registration webauth failed" + }, + "message": { + "code": "5437", + "description": "Failed-Attempt: Device Registration Web Authentication Failed", + "id": "1000100021" + }, + "nas": { + "ip": "192.0.2.43", + "port": { + "number": 16, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device006", + "profile_id": "33333333-4444-5555-6666-777777777777" + } + }, + "request": { + "latency": 33 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5437" + ] + } + }, + "client": { + "ip": "192.0.2.43", + "port": 40681 + }, + "destination": { + "ip": "198.51.100.33", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5437", + "kind": "event", + "original": "<181>Mar 15 10:50:00 host004 CISE_Failed_Attempts 1000100021 1 0 2022-03-15 10:50:00.100 +00:00 1000200021 5437 NOTICE Failed-Attempt: Device Registration Web Authentication Failed, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40681, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=16, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-00, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666686, RequestLatency=33, FailureReason=86014 Device registration webauth failed, Step=11001, Step=11017, Step=5437,", + "outcome": "failure", + "sequence": 1000200021, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:50:00.100 +00:00 1000200021 5437 NOTICE Failed-Attempt: Device Registration Web Authentication Failed, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40681, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=16, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-00, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666686, RequestLatency=33, FailureReason=86014 Device registration webauth failed, Step=11001, Step=11017, Step=5437,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.43", + "198.51.100.33" + ], + "user": [ + "user06" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user06" + ] + } + }, + { + "@timestamp": "2022-03-15T10:51:00.200Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666687" + } + }, + "calling_station": { + "id": "00-BB-CC-DD-EE-11" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "11508 Session not found on this ISE node" + }, + "message": { + "code": "5438", + "description": "Failed-Attempt: Session was not found on this ISE node", + "id": "1000100022" + }, + "nas": { + "ip": "192.0.2.43", + "port": { + "number": 17, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device006", + "profile_id": "33333333-4444-5555-6666-777777777777" + } + }, + "request": { + "latency": 10 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5438" + ] + } + }, + "client": { + "ip": "192.0.2.43", + "port": 40682 + }, + "destination": { + "ip": "198.51.100.33", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5438", + "kind": "event", + "original": "<181>Mar 15 10:51:00 host004 CISE_Failed_Attempts 1000100022 1 0 2022-03-15 10:51:00.200 +00:00 1000200022 5438 NOTICE Failed-Attempt: Session was not found on this ISE node, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40682, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=17, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-11, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666687, RequestLatency=10, FailureReason=11508 Session not found on this ISE node, Step=11001, Step=11017, Step=5438,", + "outcome": "failure", + "sequence": 1000200022, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:51:00.200 +00:00 1000200022 5438 NOTICE Failed-Attempt: Session was not found on this ISE node, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40682, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=17, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-11, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666687, RequestLatency=10, FailureReason=11508 Session not found on this ISE node, Step=11001, Step=11017, Step=5438,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.43", + "198.51.100.33" + ], + "user": [ + "user06" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user06" + ] + } + }, + { + "@timestamp": "2022-03-15T10:52:00.300Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666688" + } + }, + "calling_station": { + "id": "00-BB-CC-DD-EE-22" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "11509 Session belongs to different ISE node" + }, + "message": { + "code": "5439", + "description": "Failed-Attempt: Session does not belong to this ISE node", + "id": "1000100023" + }, + "nas": { + "ip": "192.0.2.43", + "port": { + "number": 18, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device006", + "profile_id": "33333333-4444-5555-6666-777777777777" + } + }, + "request": { + "latency": 13 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5439" + ] + } + }, + "client": { + "ip": "192.0.2.43", + "port": 40683 + }, + "destination": { + "ip": "198.51.100.33", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5439", + "kind": "event", + "original": "<181>Mar 15 10:52:00 host004 CISE_Failed_Attempts 1000100023 1 0 2022-03-15 10:52:00.300 +00:00 1000200023 5439 NOTICE Failed-Attempt: Session does not belong to this ISE node, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40683, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=18, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-22, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666688, RequestLatency=13, FailureReason=11509 Session belongs to different ISE node, Step=11001, Step=11017, Step=5439,", + "outcome": "failure", + "sequence": 1000200023, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:52:00.300 +00:00 1000200023 5439 NOTICE Failed-Attempt: Session does not belong to this ISE node, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40683, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=18, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-22, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666688, RequestLatency=13, FailureReason=11509 Session belongs to different ISE node, Step=11001, Step=11017, Step=5439,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.43", + "198.51.100.33" + ], + "user": [ + "user06" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user06" + ] + } + }, + { + "@timestamp": "2022-03-15T10:53:00.400Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666689" + } + }, + "calling_station": { + "id": "00-BB-CC-DD-EE-33" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "11017 RADIUS non-EAP dropped" + }, + "message": { + "code": "5441", + "description": "RADIUS: Endpoint started new session while previous session was being processed", + "id": "1000100024" + }, + "nas": { + "ip": "192.0.2.43", + "port": { + "number": 19, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device006", + "profile_id": "33333333-4444-5555-6666-777777777777" + } + }, + "request": { + "latency": 7 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5441" + ] + } + }, + "client": { + "ip": "192.0.2.43", + "port": 40684 + }, + "destination": { + "ip": "198.51.100.33", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "radius", + "category": [ + "network" + ], + "code": "5441", + "kind": "event", + "original": "<181>Mar 15 10:53:00 host004 CISE_Failed_Attempts 1000100024 1 0 2022-03-15 10:53:00.400 +00:00 1000200024 5441 NOTICE RADIUS: Endpoint started new session while previous session was being processed, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40684, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=19, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-33, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666689, RequestLatency=7, FailureReason=11017 RADIUS non-EAP dropped, Step=11001, Step=11017, Step=5441,", + "outcome": "failure", + "sequence": 1000200024, + "timezone": "+00:00", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:53:00.400 +00:00 1000200024 5441 NOTICE RADIUS: Endpoint started new session while previous session was being processed, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40684, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=19, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-33, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666689, RequestLatency=7, FailureReason=11017 RADIUS non-EAP dropped, Step=11001, Step=11017, Step=5441,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.43", + "198.51.100.33" + ], + "user": [ + "user06" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user06" + ] + } + }, + { + "@timestamp": "2022-03-15T10:54:00.500Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666690" + } + }, + "calling_station": { + "id": "00-BB-CC-DD-EE-44" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "11019 Request dropped due to overload" + }, + "message": { + "code": "5442", + "description": "RADIUS: Request dropped due to system overload", + "id": "1000100025" + }, + "nas": { + "ip": "192.0.2.43", + "port": { + "number": 20, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device006", + "profile_id": "33333333-4444-5555-6666-777777777777" + } + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5442" + ] + } + }, + "client": { + "ip": "192.0.2.43", + "port": 40685 + }, + "destination": { + "ip": "198.51.100.33", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "radius", + "category": [ + "network" + ], + "code": "5442", + "kind": "event", + "original": "<181>Mar 15 10:54:00 host004 CISE_Failed_Attempts 1000100025 1 0 2022-03-15 10:54:00.500 +00:00 1000200025 5442 NOTICE RADIUS: Request dropped due to system overload, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40685, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=20, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-44, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666690, FailureReason=11019 Request dropped due to overload, Step=11001, Step=11017, Step=5442,", + "outcome": "failure", + "sequence": 1000200025, + "timezone": "+00:00", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:54:00.500 +00:00 1000200025 5442 NOTICE RADIUS: Request dropped due to system overload, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40685, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user06, NAS-IP-Address=192.0.2.43, NAS-Port=20, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-44, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666690, FailureReason=11019 Request dropped due to overload, Step=11001, Step=11017, Step=5442,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.43", + "198.51.100.33" + ], + "user": [ + "user06" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user06" + ] + } + }, + { + "@timestamp": "2022-03-15T10:55:00.600Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666691" + } + }, + "calling_station": { + "id": "00-BB-CC-DD-EE-55" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "11020 EAP sessions limit reached" + }, + "message": { + "code": "5443", + "description": "RADIUS: Request dropped due to reaching EAP sessions limit", + "id": "1000100026" + }, + "nas": { + "ip": "192.0.2.43", + "port": { + "number": 21, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device006", + "profile_id": "33333333-4444-5555-6666-777777777777" + } + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11117", + "5443" + ] + } + }, + "client": { + "ip": "192.0.2.43", + "port": 40686 + }, + "destination": { + "ip": "198.51.100.33", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "radius", + "category": [ + "network" + ], + "code": "5443", + "kind": "event", + "original": "<181>Mar 15 10:55:00 host004 CISE_Failed_Attempts 1000100026 1 0 2022-03-15 10:55:00.600 +00:00 1000200026 5443 NOTICE RADIUS: Request dropped due to reaching EAP sessions limit, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40686, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user07, NAS-IP-Address=192.0.2.43, NAS-Port=21, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-55, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666691, FailureReason=11020 EAP sessions limit reached, Step=11001, Step=11117, Step=5443,", + "outcome": "failure", + "sequence": 1000200026, + "timezone": "+00:00", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:55:00.600 +00:00 1000200026 5443 NOTICE RADIUS: Request dropped due to reaching EAP sessions limit, ConfigVersionId=77, Device IP Address=192.0.2.43, Device Port=40686, DestinationIPAddress=198.51.100.33, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device006, User-Name=user07, NAS-IP-Address=192.0.2.43, NAS-Port=21, Service-Type=Framed, Calling-Station-ID=00-BB-CC-DD-EE-55, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=33333333-4444-5555-6666-777777777777, AcsSessionID=host004/444444444/6666691, FailureReason=11020 EAP sessions limit reached, Step=11001, Step=11117, Step=5443,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.43", + "198.51.100.33" + ], + "user": [ + "user07" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user07" + ] + } + }, + { + "@timestamp": "2022-03-15T10:56:00.700Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666692" + } + }, + "calling_station": { + "id": "AA-BB-CC-DD-EE-01" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "80003 MDM server returned error" + }, + "message": { + "code": "5448", + "description": "Failed-Attempt: MDM Authentication failed", + "id": "1000100027" + }, + "nas": { + "ip": "192.0.2.44", + "port": { + "number": 22, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device007", + "profile_id": "44444444-5555-6666-7777-888888888888" + } + }, + "request": { + "latency": 55 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5448" + ] + } + }, + "client": { + "ip": "192.0.2.44", + "port": 40687 + }, + "destination": { + "ip": "198.51.100.34", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "authentication" + ], + "code": "5448", + "kind": "event", + "original": "<181>Mar 15 10:56:00 host004 CISE_Failed_Attempts 1000100027 1 0 2022-03-15 10:56:00.700 +00:00 1000200027 5448 NOTICE Failed-Attempt: MDM Authentication failed, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40687, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user07, NAS-IP-Address=192.0.2.44, NAS-Port=22, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666692, RequestLatency=55, FailureReason=80003 MDM server returned error, Step=11001, Step=11017, Step=5448,", + "outcome": "failure", + "sequence": 1000200027, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:56:00.700 +00:00 1000200027 5448 NOTICE Failed-Attempt: MDM Authentication failed, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40687, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user07, NAS-IP-Address=192.0.2.44, NAS-Port=22, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666692, RequestLatency=55, FailureReason=80003 MDM server returned error, Step=11001, Step=11017, Step=5448,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.44", + "198.51.100.34" + ], + "user": [ + "user07" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user07" + ] + } + }, + { + "@timestamp": "2022-03-15T10:57:00.800Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666693" + } + }, + "calling_station": { + "id": "AA-BB-CC-DD-EE-02" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "11007 Could not locate Network Device or AAA Client" + }, + "message": { + "code": "5449", + "description": "RADIUS: Endpoint failed authentication of the same scenario several times and was rejected", + "id": "1000100028" + }, + "nas": { + "ip": "192.0.2.44", + "port": { + "number": 23, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device007", + "profile_id": "44444444-5555-6666-7777-888888888888" + } + }, + "request": { + "latency": 15 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5449" + ], + "total": { + "failed_attempts": 6, + "failed_time": 1200 + } + } + }, + "client": { + "ip": "192.0.2.44", + "port": 40688 + }, + "destination": { + "ip": "198.51.100.34", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "radius", + "category": [ + "authentication" + ], + "code": "5449", + "kind": "event", + "original": "<181>Mar 15 10:57:00 host004 CISE_Failed_Attempts 1000100028 1 0 2022-03-15 10:57:00.800 +00:00 1000200028 5449 NOTICE RADIUS: Endpoint failed authentication of the same scenario several times and was rejected, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40688, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user07, NAS-IP-Address=192.0.2.44, NAS-Port=23, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666693, RequestLatency=15, FailureReason=11007 Could not locate Network Device or AAA Client, TotalFailedAttempts=6, TotalFailedTime=1200, Step=11001, Step=11017, Step=5449,", + "outcome": "failure", + "sequence": 1000200028, + "timezone": "+00:00", + "type": [ + "end" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:57:00.800 +00:00 1000200028 5449 NOTICE RADIUS: Endpoint failed authentication of the same scenario several times and was rejected, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40688, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user07, NAS-IP-Address=192.0.2.44, NAS-Port=23, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666693, RequestLatency=15, FailureReason=11007 Could not locate Network Device or AAA Client, TotalFailedAttempts=6, TotalFailedTime=1200, Step=11001, Step=11017, Step=5449,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.44", + "198.51.100.34" + ], + "user": [ + "user07" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user07" + ] + } + }, + { + "@timestamp": "2022-03-15T10:58:00.900Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666694" + } + }, + "calling_station": { + "id": "AA-BB-CC-DD-EE-03" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "dtls_support": "Yes", + "failure": { + "reason": "12551 DTLS handshake failed" + }, + "message": { + "code": "5450", + "description": "Failed-Attempt: RADIUS DTLS handshake failed", + "id": "1000100029" + }, + "nas": { + "ip": "192.0.2.44", + "port": { + "number": 24, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device007", + "profile_id": "44444444-5555-6666-7777-888888888888" + } + }, + "request": { + "latency": 60 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5450" + ] + } + }, + "client": { + "ip": "192.0.2.44", + "port": 40689 + }, + "destination": { + "ip": "198.51.100.34", + "port": 2083 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "network" + ], + "code": "5450", + "kind": "event", + "original": "<181>Mar 15 10:58:00 host004 CISE_Failed_Attempts 1000100029 1 0 2022-03-15 10:58:00.900 +00:00 1000200029 5450 NOTICE Failed-Attempt: RADIUS DTLS handshake failed, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40689, DestinationIPAddress=198.51.100.34, DestinationPort=2083, Protocol=Radius, NetworkDeviceName=device007, User-Name=user07, NAS-IP-Address=192.0.2.44, NAS-Port=24, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-03, NAS-Port-Type=Wireless - IEEE 802.11, DTLSSupport=Yes, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666694, RequestLatency=60, FailureReason=12551 DTLS handshake failed, Step=11001, Step=11017, Step=5450,", + "outcome": "failure", + "sequence": 1000200029, + "timezone": "+00:00", + "type": [ + "connection" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:58:00.900 +00:00 1000200029 5450 NOTICE Failed-Attempt: RADIUS DTLS handshake failed, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40689, DestinationIPAddress=198.51.100.34, DestinationPort=2083, Protocol=Radius, NetworkDeviceName=device007, User-Name=user07, NAS-IP-Address=192.0.2.44, NAS-Port=24, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-03, NAS-Port-Type=Wireless - IEEE 802.11, DTLSSupport=Yes, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666694, RequestLatency=60, FailureReason=12551 DTLS handshake failed, Step=11001, Step=11017, Step=5450,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.44", + "198.51.100.34" + ], + "user": [ + "user07" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user07" + ] + } + }, + { + "@timestamp": "2022-03-15T10:59:00.000Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666695" + } + }, + "calling_station": { + "id": "AA-BB-CC-DD-EE-04" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "86017 Social login failed" + }, + "message": { + "code": "5451", + "description": "Failed-Attempt: Social Login failed", + "id": "1000100030" + }, + "nas": { + "ip": "192.0.2.44", + "port": { + "number": 25, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device007", + "profile_id": "44444444-5555-6666-7777-888888888888" + } + }, + "portal": { + "name": "Social-Portal" + }, + "request": { + "latency": 21 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5451" + ] + } + }, + "client": { + "ip": "192.0.2.44", + "port": 40690 + }, + "destination": { + "ip": "198.51.100.34", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "authentication" + ], + "code": "5451", + "kind": "event", + "original": "<181>Mar 15 10:59:00 host004 CISE_Failed_Attempts 1000100030 1 0 2022-03-15 10:59:00.000 +00:00 1000200030 5451 NOTICE Failed-Attempt: Social Login failed, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40690, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user08, NAS-IP-Address=192.0.2.44, NAS-Port=25, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-04, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666695, RequestLatency=21, FailureReason=86017 Social login failed, PortalName=Social-Portal, Step=11001, Step=11017, Step=5451,", + "outcome": "failure", + "sequence": 1000200030, + "timezone": "+00:00", + "type": [ + "end" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 10:59:00.000 +00:00 1000200030 5451 NOTICE Failed-Attempt: Social Login failed, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40690, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user08, NAS-IP-Address=192.0.2.44, NAS-Port=25, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-04, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666695, RequestLatency=21, FailureReason=86017 Social login failed, PortalName=Social-Portal, Step=11001, Step=11017, Step=5451,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.44", + "198.51.100.34" + ], + "user": [ + "user08" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user08" + ] + } + }, + { + "@timestamp": "2022-03-15T11:00:00.100Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host004/444444444/6666696" + } + }, + "calling_station": { + "id": "AA-BB-CC-DD-EE-05" + }, + "category": { + "name": "CISE_Failed_Attempts" + }, + "config_version": { + "id": 77 + }, + "failure": { + "reason": "86018 Social login error" + }, + "message": { + "code": "5452", + "description": "Failed-Attempt: Social Login error", + "id": "1000100031" + }, + "nas": { + "ip": "192.0.2.44", + "port": { + "number": 26, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device007", + "profile_id": "44444444-5555-6666-7777-888888888888" + } + }, + "portal": { + "name": "Social-Portal" + }, + "request": { + "latency": 18 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5452" + ] + } + }, + "client": { + "ip": "192.0.2.44", + "port": 40691 + }, + "destination": { + "ip": "198.51.100.34", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "authentication" + ], + "code": "5452", + "kind": "event", + "original": "<181>Mar 15 11:00:00 host004 CISE_Failed_Attempts 1000100031 1 0 2022-03-15 11:00:00.100 +00:00 1000200031 5452 NOTICE Failed-Attempt: Social Login error, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40691, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user08, NAS-IP-Address=192.0.2.44, NAS-Port=26, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-05, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666696, RequestLatency=18, FailureReason=86018 Social login error, PortalName=Social-Portal, Step=11001, Step=11017, Step=5452,", + "outcome": "failure", + "sequence": 1000200031, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host004" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:00:00.100 +00:00 1000200031 5452 NOTICE Failed-Attempt: Social Login error, ConfigVersionId=77, Device IP Address=192.0.2.44, Device Port=40691, DestinationIPAddress=198.51.100.34, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device007, User-Name=user08, NAS-IP-Address=192.0.2.44, NAS-Port=26, Service-Type=Framed, Calling-Station-ID=AA-BB-CC-DD-EE-05, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=44444444-5555-6666-7777-888888888888, AcsSessionID=host004/444444444/6666696, RequestLatency=18, FailureReason=86018 Social login error, PortalName=Social-Portal, Step=11001, Step=11017, Step=5452,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host004" + ], + "ip": [ + "192.0.2.44", + "198.51.100.34" + ], + "user": [ + "user08" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user08" + ] + } } ] } diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log index 003952accb9..f82443294d3 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log @@ -4,3 +4,17 @@ <181>Mar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082517 1 0 2022-03-03 09:11:58.729 +00:00 0000082584 5239 NOTICE RADIUS: NAS problem was fixed, ConfigVersionId=1626, NAS-IP-Address=81.2.69.145, MisconfiguredClientFixReason=Silent, Step=5239, <181>Mar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082517 1 0 2025-03-03 09:11:58.840 -07:00 0429868068 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=509, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.145, DestinationPort=1645, UserName=user1, Protocol=Radius, NetworkDeviceName=ASA_Firewalls, User-Name=user1, NAS-IP-Address=81.2.69.145, NAS-Port=216199168, Called-Station-ID=81.2.69.148, Calling-Station-ID=81.2.69.145, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 81.2.69.145, cisco-av-pair=mdm-tlv=device-platform=win, cisco-av-pair=mdm-tlv=computer-name=User1, cisco-av-pair=mdm-tlv=device-mac=04-68-74-a2-c2-67, cisco-av-pair=mdm-tlv=device-platform-version=10.0.26100 , cisco-av-pair=mdm-tlv=device-public-mac=04-68-74-a2-c2-67, cisco-av-pair=mdm-tlv=ac-user-agent=AnyConnect Windows 5.1.10.233, cisco-av-pair=mdm-tlv=device-uid-global=2897F9C5734F41A03F0E89064463F6FAB5EEDBF1, cisco-av-pair=mdm-tlv=device-type=ACME COMPUTER, cisco-av-pair=mdm-tlv=device-uid=E835E862F6A2CE17C35D570B4746B86F9CFE9BCAD0824F872BA61C3F6F5682C1, cisco-av-pair=audit-session-id=984ffaf10ce2f00068ec8408, cisco-av-pair=coa-push=true, CVPN3000/ASA/PIX7x-Tunnel-Group-Name=RA_VPN, OriginalUserName=user1, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, SSID=81.2.69.148, CVPN3000/ASA/PIX7x-Client-Type=2, AcsSessionID=lxprdisepsn04/543883580/12648582, AuthenticationIdentityStore=Duo_Radius, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=VPN full access, IsMachineAuthentication=false, RequestLatency=4302, IdentityGroup=Endpoint Identity Groups:Profiled:Windows11-Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15041, Step=22072, Step=15013, Step=24210, Step=24216, Step=15013, Step=24634, Step=24636, Step=24609, Step=11100, Step=11101, Step=24612, Step=24623, Step=24641, Step=22037, Step=15057, Step=24715, Step=15036, Step=24209, Step=24211, Step=24432, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367, Step=24323, Step=24355, Step=24416, Step=15048, Step=15048, Step=15016, Step=22081, Step=22080, Step=11002, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Duo_Radius, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#Example Campus, NetworkDeviceGroups=Device Type#All Device Types#ASA Firewalls, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=DNAC#DNAC Devices, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=RemoteAllowedMFA, cisco-av-pair=AuthenticationIdentityStore=Duo_Radius, CPMSessionID=984ffaf10ce2f00068ec8408, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows11-Workstation, ISEPolicySetName=Remote Access VPN Policy, IdentitySelectionMatchedRule=Default, StepLatency=1=0\\;2=1\\;3=0\\;4=0\\;5=1\\;6=0\\;7=0\\;8=5\\;9=6\\;10=0\\;11=1\\;12=0\\;13=0\\;14=2\\;15=0\\;16=0\\;17=0\\;18=0\\;19=0\\;20=4259\\;21=1\\;22=0\\;23=0\\;24=0\\;25=0\\;26=5\\;27=0\\;28=0\\;29=4\\;39=9\\;40=7\\;41=0\\;42=1\\;43=0\\;44=1, AD-User-Resolved-Identities=user1@example.com, AD-User-Join-Point=example.com, StepData=4= Wlan-Id, StepData=5= Radius.Called-Station-ID, StepData=6= DEVICE.Device Type, StepData=7= Network Access.Protocol, StepData=8= Network Condition.Wireless Controllers, StepData=9= Network Condition.ASA VPN, StepData=11=EXPL_auth_order_DUO, StepData=12=Internal Users, StepData=15=Duo_Radius, StepData=16=Duo_Radius, StepData=17=Duo_Radius, StepData=18=Duo_Radius, StepData=19=( port = 1812 ), StepData=0=AD1, StepData=1=user1, StepData=2=example.com, StepData=3=example.com, StepData=4=aws.example.com\\,Domain trust is one-way, StepData=5=example.com\\,Domain trust is one-way, StepData=7=example.com, StepData=8=AD1, StepData=39= AD1.ExternalGroups, StepData=40= Network Condition.ASA VPN, TotalAuthenLatency=4302, ClientLatency=0, AD-User-Resolved-DNs=CN=User1 \\,OU=New Users\\,OU=PEOPLE\\,DC=Example\\,DC=com, AD-User-DNS-Domain=example.com, AD-Groups-Names=example.com/Groups/NetOpsGroups/WirelessAllowed, AD-Groups-Names=example.com/Groups/NetOpsGroups/RemoteAllowedMFA, AD-User-NetBios-Name=user1, AD-User-SamAccount-Name=user1, allowEasyWiredSession=false, DTLSSupport=Unknown, EndPointIPAddress=81.2.69.145, HostIdentityGroup=Endpoint Identity Groups:Profiled:Windows11-Workstation, ExternalGroups=S-1-5-21-1-2-3-4, ExternalGroups=S-1-5-21-1-2-3-4, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#Example, Device Type=Device Type#All Device Types#ASA Firewalls, IPSEC=IPSEC#Is IPSEC Device#No, DNAC=DNAC#DNAC Devices, ASA VPN=true, Response={Class=CACS:984ffaf10ce2f00068ec8408:lxprdisepsn04/543883580/12648582; cisco-av-pair=profile-name=Windows11-Workstation; LicenseTypes=1; }, <181>Apr 30 09:11:25 cisco-ise-host CISE_Passed_Authentications 0000008856 1 0 2026-04-30 09:11:25.367 +00:00 0000781727 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=11, UserName=92-09-00-00-00-01, cisco-av-pair=FQSubjectName=111-222-aaa-bbb-123456abc=abc123,ou=488-test,ou=org-sgn,ou=wireless,dc=example,dc=int#00-aa-bb-cc-dd-ee, NetworkDeviceProfileName=Cisco, +<181>Mar 31 11:24:45 host002 CISE_Passed_Authentications 2233445566 1 0 2026-03-31 11:24:45.159 +01:00 9988776655 5203 NOTICE Device-Administration: Session Authorization succeeded, ConfigVersionId=79, Device IP Address=192.0.2.30, DestinationIPAddress=198.51.100.30, DestinationPort=49, UserName=user02, Protocol=Tacacs, RequestLatency=13, NetworkDeviceName=device002, Type=Authorization, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user02, Port=tty644, Remote-Address=203.0.113.40, Authen-Method=TacacsPlus, Service-Argument=shell, NetworkDeviceProfileId=22222222-3333-4444-5555-777777777777, AcsSessionID=host002/222222222/444444, AuthenticationIdentityStore=EE-SSA, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=Privilege Level 15 Shell Profile, IsMachineAuthentication=false, Step=13005, Step=15049, Step=15008, +<181>Mar 15 11:10:00 host005 CISE_Passed_Authentications 2000100001 1 0 2022-03-15 11:10:00.100 +00:00 2000200001 5201 NOTICE Device-Administration: Authentication succeeded, ConfigVersionId=80, Device IP Address=192.0.2.50, Device Port=50001, DestinationIPAddress=198.51.100.40, DestinationPort=49, UserName=user10, Protocol=Tacacs, RequestLatency=9, NetworkDeviceName=device010, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user10, Port=tty10, Remote-Address=203.0.113.60, NetworkDeviceProfileId=55555555-6666-7777-8888-999999999999, AcsSessionID=host005/555555555/7777777, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, Step=13001, Step=13013, Step=15049, Step=15008, +<181>Mar 15 11:11:00 host005 CISE_Passed_Authentications 2000100002 1 0 2022-03-15 11:11:00.200 +00:00 2000200002 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=80, Device IP Address=192.0.2.50, Device Port=50002, DestinationIPAddress=198.51.100.40, DestinationPort=49, UserName=user10, Protocol=Tacacs, RequestLatency=8, NetworkDeviceName=device010, Type=Authorization, Action=Command, Privilege-Level=15, Authen-Type=ASCII, Service=Shell, User=user10, Port=tty10, Remote-Address=203.0.113.60, NetworkDeviceProfileId=55555555-6666-7777-8888-999999999999, AcsSessionID=host005/555555555/7777778, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=Privilege Level 15 Shell Profile, Step=13005, Step=15049, Step=15008, +<181>Mar 15 11:12:00 host005 CISE_Passed_Authentications 2000100003 1 0 2022-03-15 11:12:00.300 +00:00 2000200003 5204 NOTICE Failed-Attempt: Change password succeeded, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50003, DestinationIPAddress=198.51.100.41, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=30, Service-Type=Framed, Calling-Station-ID=BB-CC-DD-EE-FF-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777779, RequestLatency=14, Step=11001, Step=11017, Step=5204, +<181>Mar 15 11:13:00 host005 CISE_Passed_Authentications 2000100004 1 0 2022-03-15 11:13:00.400 +00:00 2000200004 5205 NOTICE Passed-Authentication: Dynamic Authorization succeeded, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50004, DestinationIPAddress=198.51.100.41, DestinationPort=3799, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=31, Calling-Station-ID=BB-CC-DD-EE-FF-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777780, RequestLatency=20, Step=11001, Step=11017, Step=5205, +<181>Mar 15 11:14:00 host005 CISE_Passed_Authentications 2000100005 1 0 2022-03-15 11:14:00.500 +00:00 2000200005 5206 NOTICE Passed-Authentication: PAC provisioned, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50005, DestinationIPAddress=198.51.100.41, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=32, Service-Type=Framed, Calling-Station-ID=BB-CC-DD-EE-FF-03, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777781, RequestLatency=35, EapTunnel=EAP-FAST, Step=11001, Step=11017, Step=11117, Step=5206, +<181>Mar 15 11:15:00 host005 CISE_Passed_Authentications 2000100006 1 0 2022-03-15 11:15:00.600 +00:00 2000200006 5232 NOTICE Passed-Authentication: DACL Download Succeeded, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50006, DestinationIPAddress=198.51.100.41, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=33, Service-Type=Framed, Calling-Station-ID=BB-CC-DD-EE-FF-04, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777782, RequestLatency=12, Step=11001, Step=11017, Step=5232, +<181>Mar 15 11:16:00 host005 CISE_Passed_Authentications 2000100007 1 0 2022-03-15 11:16:00.700 +00:00 2000200007 5234 NOTICE Passed-Authentication: SGA Peer Policy Download Succeeded, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50007, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.52, NAS-Port=34, NAS-Port-Type=Virtual, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777783, RequestLatency=50, Step=11001, Step=11017, Step=5234, +<181>Mar 15 11:17:00 host005 CISE_Passed_Authentications 2000100008 1 0 2022-03-15 11:17:00.800 +00:00 2000200008 5235 NOTICE Guest: Sponsor has successfully authenticated, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50008, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=sponsor01, NAS-IP-Address=192.0.2.52, NAS-Port=35, Service-Type=Framed, Calling-Station-ID=CC-DD-EE-FF-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777784, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, PortalName=Sponsor Portal, RequestLatency=18, Step=11001, Step=11017, Step=5235, +<181>Mar 15 11:18:00 host005 CISE_Passed_Authentications 2000100009 1 0 2022-03-15 11:18:00.900 +00:00 2000200009 5236 NOTICE Passed-Authentication: Authorize-Only succeeded, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50009, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=user12, NAS-IP-Address=192.0.2.52, NAS-Port=36, Service-Type=Authorize Only, Calling-Station-ID=CC-DD-EE-FF-00-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777785, RequestLatency=16, Step=11001, Step=11017, Step=5236, +<181>Mar 15 11:19:00 host005 CISE_Passed_Authentications 2000100010 1 0 2022-03-15 11:19:00.000 +00:00 2000200010 5237 NOTICE Passed-Authentication: Device Registration Web Authentication Passed, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50010, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=user12, NAS-IP-Address=192.0.2.52, NAS-Port=37, Service-Type=Framed, Calling-Station-ID=CC-DD-EE-FF-00-03, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777786, RequestLatency=23, Step=11001, Step=11017, Step=5237, +<181>Mar 15 11:20:00 host005 CISE_Passed_Authentications 2000100011 1 0 2022-03-15 11:20:00.100 +00:00 2000200011 5238 NOTICE Passed-Authentication: Endpoint authentication problem was fixed, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50011, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=38, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777787, RequestLatency=27, Step=11001, Step=11017, Step=5238, +<181>Mar 15 11:21:00 host005 CISE_Passed_Authentications 2000100012 1 0 2022-03-15 11:21:00.200 +00:00 2000200012 5240 NOTICE Passed-Authentication: Previously rejected endpoint was released to continue authentications, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50012, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=39, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777788, RequestLatency=11, Step=11001, Step=11017, Step=5240, +<181>Mar 15 11:22:00 host005 CISE_Passed_Authentications 2000100013 1 0 2022-03-15 11:22:00.300 +00:00 2000200013 5241 NOTICE Passed-Authentication: RADIUS DTLS handshake succeeded, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50013, DestinationIPAddress=198.51.100.43, DestinationPort=2083, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=40, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-03, NAS-Port-Type=Wireless - IEEE 802.11, DTLSSupport=Yes, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777789, RequestLatency=65, Step=11001, Step=11017, Step=5241, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json index a0a83882db1..976ca589396 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json @@ -980,6 +980,1677 @@ "92-09-00-00-00-01" ] } + }, + { + "@timestamp": "2026-03-31T11:24:45.159+01:00", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host002/222222222/444444" + } + }, + "authentication": { + "identity_store": "EE-SSA", + "method": "Lookup" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 79 + }, + "log_details": { + "Authen-Method": "TacacsPlus", + "Authen-Type": "ASCII", + "IsMachineAuthentication": "false", + "Port": "tty644", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.40", + "SelectedShellProfile": "Privilege Level 15 Shell Profile", + "Service": "Login", + "Service-Argument": "shell", + "Type": "Authorization", + "User": "user02" + }, + "message": { + "code": "5203", + "description": "Device-Administration: Session Authorization succeeded", + "id": "2233445566" + }, + "network": { + "device": { + "name": "device002", + "profile_id": "22222222-3333-4444-5555-777777777777" + } + }, + "request": { + "latency": 13 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13005", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.30" + }, + "destination": { + "ip": "198.51.100.30", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication", + "network" + ], + "code": "5203", + "kind": "event", + "original": "<181>Mar 31 11:24:45 host002 CISE_Passed_Authentications 2233445566 1 0 2026-03-31 11:24:45.159 +01:00 9988776655 5203 NOTICE Device-Administration: Session Authorization succeeded, ConfigVersionId=79, Device IP Address=192.0.2.30, DestinationIPAddress=198.51.100.30, DestinationPort=49, UserName=user02, Protocol=Tacacs, RequestLatency=13, NetworkDeviceName=device002, Type=Authorization, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user02, Port=tty644, Remote-Address=203.0.113.40, Authen-Method=TacacsPlus, Service-Argument=shell, NetworkDeviceProfileId=22222222-3333-4444-5555-777777777777, AcsSessionID=host002/222222222/444444, AuthenticationIdentityStore=EE-SSA, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=Privilege Level 15 Shell Profile, IsMachineAuthentication=false, Step=13005, Step=15049, Step=15008,", + "outcome": "success", + "sequence": 9988776655, + "timezone": "+01:00", + "type": [ + "allowed" + ] + }, + "host": { + "hostname": "host002" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2026-03-31 11:24:45.159 +01:00 9988776655 5203 NOTICE Device-Administration: Session Authorization succeeded, ConfigVersionId=79, Device IP Address=192.0.2.30, DestinationIPAddress=198.51.100.30, DestinationPort=49, UserName=user02, Protocol=Tacacs, RequestLatency=13, NetworkDeviceName=device002, Type=Authorization, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user02, Port=tty644, Remote-Address=203.0.113.40, Authen-Method=TacacsPlus, Service-Argument=shell, NetworkDeviceProfileId=22222222-3333-4444-5555-777777777777, AcsSessionID=host002/222222222/444444, AuthenticationIdentityStore=EE-SSA, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=Privilege Level 15 Shell Profile, IsMachineAuthentication=false, Step=13005, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host002" + ], + "ip": [ + "198.51.100.30", + "192.0.2.30" + ], + "user": [ + "user02" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user02" + ] + } + }, + { + "@timestamp": "2022-03-15T11:10:00.100Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777777" + } + }, + "authentication": { + "identity_store": "Internal Users", + "method": "Lookup" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Action": "Login", + "Authen-Type": "ASCII", + "Device Port": "50001", + "Port": "tty10", + "Privilege-Level": "1", + "Remote-Address": "203.0.113.60", + "Service": "Login", + "Type": "Authentication", + "User": "user10" + }, + "message": { + "code": "5201", + "description": "Device-Administration: Authentication succeeded", + "id": "2000100001" + }, + "network": { + "device": { + "name": "device010", + "profile_id": "55555555-6666-7777-8888-999999999999" + } + }, + "request": { + "latency": 9 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13001", + "13013", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.50" + }, + "destination": { + "ip": "198.51.100.40", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication" + ], + "code": "5201", + "kind": "event", + "original": "<181>Mar 15 11:10:00 host005 CISE_Passed_Authentications 2000100001 1 0 2022-03-15 11:10:00.100 +00:00 2000200001 5201 NOTICE Device-Administration: Authentication succeeded, ConfigVersionId=80, Device IP Address=192.0.2.50, Device Port=50001, DestinationIPAddress=198.51.100.40, DestinationPort=49, UserName=user10, Protocol=Tacacs, RequestLatency=9, NetworkDeviceName=device010, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user10, Port=tty10, Remote-Address=203.0.113.60, NetworkDeviceProfileId=55555555-6666-7777-8888-999999999999, AcsSessionID=host005/555555555/7777777, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, Step=13001, Step=13013, Step=15049, Step=15008,", + "outcome": "success", + "sequence": 2000200001, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:10:00.100 +00:00 2000200001 5201 NOTICE Device-Administration: Authentication succeeded, ConfigVersionId=80, Device IP Address=192.0.2.50, Device Port=50001, DestinationIPAddress=198.51.100.40, DestinationPort=49, UserName=user10, Protocol=Tacacs, RequestLatency=9, NetworkDeviceName=device010, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=user10, Port=tty10, Remote-Address=203.0.113.60, NetworkDeviceProfileId=55555555-6666-7777-8888-999999999999, AcsSessionID=host005/555555555/7777777, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, Step=13001, Step=13013, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "198.51.100.40", + "192.0.2.50" + ], + "user": [ + "user10" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user10" + ] + } + }, + { + "@timestamp": "2022-03-15T11:11:00.200Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777778" + } + }, + "authentication": { + "identity_store": "Internal Users", + "method": "Lookup" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Action": "Command", + "Authen-Type": "ASCII", + "Device Port": "50002", + "Port": "tty10", + "Privilege-Level": "15", + "Remote-Address": "203.0.113.60", + "SelectedShellProfile": "Privilege Level 15 Shell Profile", + "Service": "Shell", + "Type": "Authorization", + "User": "user10" + }, + "message": { + "code": "5202", + "description": "Device-Administration: Command Authorization succeeded", + "id": "2000100002" + }, + "network": { + "device": { + "name": "device010", + "profile_id": "55555555-6666-7777-8888-999999999999" + } + }, + "request": { + "latency": 8 + }, + "segment": { + "number": 0, + "total": 1 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "step": [ + "13005", + "15049", + "15008" + ] + } + }, + "client": { + "ip": "192.0.2.50" + }, + "destination": { + "ip": "198.51.100.40", + "port": 49 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "device-administration", + "category": [ + "authentication", + "network" + ], + "code": "5202", + "kind": "event", + "original": "<181>Mar 15 11:11:00 host005 CISE_Passed_Authentications 2000100002 1 0 2022-03-15 11:11:00.200 +00:00 2000200002 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=80, Device IP Address=192.0.2.50, Device Port=50002, DestinationIPAddress=198.51.100.40, DestinationPort=49, UserName=user10, Protocol=Tacacs, RequestLatency=8, NetworkDeviceName=device010, Type=Authorization, Action=Command, Privilege-Level=15, Authen-Type=ASCII, Service=Shell, User=user10, Port=tty10, Remote-Address=203.0.113.60, NetworkDeviceProfileId=55555555-6666-7777-8888-999999999999, AcsSessionID=host005/555555555/7777778, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=Privilege Level 15 Shell Profile, Step=13005, Step=15049, Step=15008,", + "outcome": "success", + "sequence": 2000200002, + "timezone": "+00:00", + "type": [ + "allowed" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:11:00.200 +00:00 2000200002 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=80, Device IP Address=192.0.2.50, Device Port=50002, DestinationIPAddress=198.51.100.40, DestinationPort=49, UserName=user10, Protocol=Tacacs, RequestLatency=8, NetworkDeviceName=device010, Type=Authorization, Action=Command, Privilege-Level=15, Authen-Type=ASCII, Service=Shell, User=user10, Port=tty10, Remote-Address=203.0.113.60, NetworkDeviceProfileId=55555555-6666-7777-8888-999999999999, AcsSessionID=host005/555555555/7777778, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=Privilege Level 15 Shell Profile, Step=13005, Step=15049, Step=15008,", + "network": { + "protocol": "tacacs" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "198.51.100.40", + "192.0.2.50" + ], + "user": [ + "user10" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user10" + ] + } + }, + { + "@timestamp": "2022-03-15T11:12:00.300Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777779" + } + }, + "calling_station": { + "id": "BB-CC-DD-EE-FF-01" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50003" + }, + "message": { + "code": "5204", + "description": "Failed-Attempt: Change password succeeded", + "id": "2000100003" + }, + "nas": { + "ip": "192.0.2.51", + "port": { + "number": 30, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device011", + "profile_id": "66666666-7777-8888-9999-000000000000" + } + }, + "request": { + "latency": 14 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5204" + ] + } + }, + "client": { + "ip": "192.0.2.51" + }, + "destination": { + "ip": "198.51.100.41", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "failed-attempt", + "category": [ + "iam" + ], + "code": "5204", + "kind": "event", + "original": "<181>Mar 15 11:12:00 host005 CISE_Passed_Authentications 2000100003 1 0 2022-03-15 11:12:00.300 +00:00 2000200003 5204 NOTICE Failed-Attempt: Change password succeeded, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50003, DestinationIPAddress=198.51.100.41, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=30, Service-Type=Framed, Calling-Station-ID=BB-CC-DD-EE-FF-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777779, RequestLatency=14, Step=11001, Step=11017, Step=5204,", + "outcome": "success", + "sequence": 2000200003, + "timezone": "+00:00", + "type": [ + "user" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:12:00.300 +00:00 2000200003 5204 NOTICE Failed-Attempt: Change password succeeded, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50003, DestinationIPAddress=198.51.100.41, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=30, Service-Type=Framed, Calling-Station-ID=BB-CC-DD-EE-FF-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777779, RequestLatency=14, Step=11001, Step=11017, Step=5204,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.51", + "198.51.100.41" + ], + "user": [ + "user11" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user11" + ] + } + }, + { + "@timestamp": "2022-03-15T11:13:00.400Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777780" + } + }, + "calling_station": { + "id": "BB-CC-DD-EE-FF-02" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50004" + }, + "message": { + "code": "5205", + "description": "Passed-Authentication: Dynamic Authorization succeeded", + "id": "2000100004" + }, + "nas": { + "ip": "192.0.2.51", + "port": { + "number": 31, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device011", + "profile_id": "66666666-7777-8888-9999-000000000000" + } + }, + "request": { + "latency": 20 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": [ + "11001", + "11017", + "5205" + ] + } + }, + "client": { + "ip": "192.0.2.51" + }, + "destination": { + "ip": "198.51.100.41", + "port": 3799 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "network" + ], + "code": "5205", + "kind": "event", + "original": "<181>Mar 15 11:13:00 host005 CISE_Passed_Authentications 2000100004 1 0 2022-03-15 11:13:00.400 +00:00 2000200004 5205 NOTICE Passed-Authentication: Dynamic Authorization succeeded, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50004, DestinationIPAddress=198.51.100.41, DestinationPort=3799, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=31, Calling-Station-ID=BB-CC-DD-EE-FF-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777780, RequestLatency=20, Step=11001, Step=11017, Step=5205,", + "outcome": "success", + "sequence": 2000200004, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:13:00.400 +00:00 2000200004 5205 NOTICE Passed-Authentication: Dynamic Authorization succeeded, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50004, DestinationIPAddress=198.51.100.41, DestinationPort=3799, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=31, Calling-Station-ID=BB-CC-DD-EE-FF-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777780, RequestLatency=20, Step=11001, Step=11017, Step=5205,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.51", + "198.51.100.41" + ], + "user": [ + "user11" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user11" + ] + } + }, + { + "@timestamp": "2022-03-15T11:14:00.500Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777781" + } + }, + "calling_station": { + "id": "BB-CC-DD-EE-FF-03" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50005", + "EapTunnel": "EAP-FAST" + }, + "message": { + "code": "5206", + "description": "Passed-Authentication: PAC provisioned", + "id": "2000100005" + }, + "nas": { + "ip": "192.0.2.51", + "port": { + "number": 32, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device011", + "profile_id": "66666666-7777-8888-9999-000000000000" + } + }, + "request": { + "latency": 35 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "11117", + "5206" + ] + } + }, + "client": { + "ip": "192.0.2.51" + }, + "destination": { + "ip": "198.51.100.41", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "authentication" + ], + "code": "5206", + "kind": "event", + "original": "<181>Mar 15 11:14:00 host005 CISE_Passed_Authentications 2000100005 1 0 2022-03-15 11:14:00.500 +00:00 2000200005 5206 NOTICE Passed-Authentication: PAC provisioned, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50005, DestinationIPAddress=198.51.100.41, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=32, Service-Type=Framed, Calling-Station-ID=BB-CC-DD-EE-FF-03, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777781, RequestLatency=35, EapTunnel=EAP-FAST, Step=11001, Step=11017, Step=11117, Step=5206,", + "outcome": "success", + "sequence": 2000200005, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:14:00.500 +00:00 2000200005 5206 NOTICE Passed-Authentication: PAC provisioned, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50005, DestinationIPAddress=198.51.100.41, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=32, Service-Type=Framed, Calling-Station-ID=BB-CC-DD-EE-FF-03, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777781, RequestLatency=35, EapTunnel=EAP-FAST, Step=11001, Step=11017, Step=11117, Step=5206,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.51", + "198.51.100.41" + ], + "user": [ + "user11" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user11" + ] + } + }, + { + "@timestamp": "2022-03-15T11:15:00.600Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777782" + } + }, + "calling_station": { + "id": "BB-CC-DD-EE-FF-04" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50006" + }, + "message": { + "code": "5232", + "description": "Passed-Authentication: DACL Download Succeeded", + "id": "2000100006" + }, + "nas": { + "ip": "192.0.2.51", + "port": { + "number": 33, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device011", + "profile_id": "66666666-7777-8888-9999-000000000000" + } + }, + "request": { + "latency": 12 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5232" + ] + } + }, + "client": { + "ip": "192.0.2.51" + }, + "destination": { + "ip": "198.51.100.41", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "network" + ], + "code": "5232", + "kind": "event", + "original": "<181>Mar 15 11:15:00 host005 CISE_Passed_Authentications 2000100006 1 0 2022-03-15 11:15:00.600 +00:00 2000200006 5232 NOTICE Passed-Authentication: DACL Download Succeeded, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50006, DestinationIPAddress=198.51.100.41, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=33, Service-Type=Framed, Calling-Station-ID=BB-CC-DD-EE-FF-04, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777782, RequestLatency=12, Step=11001, Step=11017, Step=5232,", + "outcome": "success", + "sequence": 2000200006, + "timezone": "+00:00", + "type": [ + "allowed" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:15:00.600 +00:00 2000200006 5232 NOTICE Passed-Authentication: DACL Download Succeeded, ConfigVersionId=80, Device IP Address=192.0.2.51, Device Port=50006, DestinationIPAddress=198.51.100.41, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device011, User-Name=user11, NAS-IP-Address=192.0.2.51, NAS-Port=33, Service-Type=Framed, Calling-Station-ID=BB-CC-DD-EE-FF-04, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=66666666-7777-8888-9999-000000000000, AcsSessionID=host005/555555555/7777782, RequestLatency=12, Step=11001, Step=11017, Step=5232,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.51", + "198.51.100.41" + ], + "user": [ + "user11" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user11" + ] + } + }, + { + "@timestamp": "2022-03-15T11:16:00.700Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777783" + } + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50007" + }, + "message": { + "code": "5234", + "description": "Passed-Authentication: SGA Peer Policy Download Succeeded", + "id": "2000100007" + }, + "nas": { + "ip": "192.0.2.52", + "port": { + "number": 34, + "type": "Virtual" + } + }, + "network": { + "device": { + "name": "device012", + "profile_id": "77777777-8888-9999-0000-111111111111" + } + }, + "request": { + "latency": 50 + }, + "segment": { + "number": 0, + "total": 1 + }, + "step": [ + "11001", + "11017", + "5234" + ] + } + }, + "client": { + "ip": "192.0.2.52" + }, + "destination": { + "ip": "198.51.100.42", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "network" + ], + "code": "5234", + "kind": "event", + "original": "<181>Mar 15 11:16:00 host005 CISE_Passed_Authentications 2000100007 1 0 2022-03-15 11:16:00.700 +00:00 2000200007 5234 NOTICE Passed-Authentication: SGA Peer Policy Download Succeeded, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50007, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.52, NAS-Port=34, NAS-Port-Type=Virtual, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777783, RequestLatency=50, Step=11001, Step=11017, Step=5234,", + "outcome": "success", + "sequence": 2000200007, + "timezone": "+00:00", + "type": [ + "allowed" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:16:00.700 +00:00 2000200007 5234 NOTICE Passed-Authentication: SGA Peer Policy Download Succeeded, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50007, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=#CTSREQUEST#, NAS-IP-Address=192.0.2.52, NAS-Port=34, NAS-Port-Type=Virtual, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777783, RequestLatency=50, Step=11001, Step=11017, Step=5234,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.52", + "198.51.100.42" + ], + "user": [ + "#CTSREQUEST#" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "#CTSREQUEST#" + ] + } + }, + { + "@timestamp": "2022-03-15T11:17:00.800Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777784" + } + }, + "authentication": { + "identity_store": "Internal Users", + "method": "PAP_ASCII" + }, + "calling_station": { + "id": "CC-DD-EE-FF-00-01" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50008" + }, + "message": { + "code": "5235", + "description": "Guest: Sponsor has successfully authenticated", + "id": "2000100008" + }, + "nas": { + "ip": "192.0.2.52", + "port": { + "number": 35, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device012", + "profile_id": "77777777-8888-9999-0000-111111111111" + } + }, + "portal": { + "name": "Sponsor Portal" + }, + "request": { + "latency": 18 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5235" + ] + } + }, + "client": { + "ip": "192.0.2.52" + }, + "destination": { + "ip": "198.51.100.42", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "guest", + "category": [ + "authentication" + ], + "code": "5235", + "kind": "event", + "original": "<181>Mar 15 11:17:00 host005 CISE_Passed_Authentications 2000100008 1 0 2022-03-15 11:17:00.800 +00:00 2000200008 5235 NOTICE Guest: Sponsor has successfully authenticated, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50008, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=sponsor01, NAS-IP-Address=192.0.2.52, NAS-Port=35, Service-Type=Framed, Calling-Station-ID=CC-DD-EE-FF-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777784, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, PortalName=Sponsor Portal, RequestLatency=18, Step=11001, Step=11017, Step=5235,", + "outcome": "success", + "sequence": 2000200008, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:17:00.800 +00:00 2000200008 5235 NOTICE Guest: Sponsor has successfully authenticated, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50008, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=sponsor01, NAS-IP-Address=192.0.2.52, NAS-Port=35, Service-Type=Framed, Calling-Station-ID=CC-DD-EE-FF-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777784, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, PortalName=Sponsor Portal, RequestLatency=18, Step=11001, Step=11017, Step=5235,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.52", + "198.51.100.42" + ], + "user": [ + "sponsor01" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "sponsor01" + ] + } + }, + { + "@timestamp": "2022-03-15T11:18:00.900Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777785" + } + }, + "calling_station": { + "id": "CC-DD-EE-FF-00-02" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50009" + }, + "message": { + "code": "5236", + "description": "Passed-Authentication: Authorize-Only succeeded", + "id": "2000100009" + }, + "nas": { + "ip": "192.0.2.52", + "port": { + "number": 36, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device012", + "profile_id": "77777777-8888-9999-0000-111111111111" + } + }, + "request": { + "latency": 16 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Authorize Only" + }, + "step": [ + "11001", + "11017", + "5236" + ] + } + }, + "client": { + "ip": "192.0.2.52" + }, + "destination": { + "ip": "198.51.100.42", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "network" + ], + "code": "5236", + "kind": "event", + "original": "<181>Mar 15 11:18:00 host005 CISE_Passed_Authentications 2000100009 1 0 2022-03-15 11:18:00.900 +00:00 2000200009 5236 NOTICE Passed-Authentication: Authorize-Only succeeded, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50009, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=user12, NAS-IP-Address=192.0.2.52, NAS-Port=36, Service-Type=Authorize Only, Calling-Station-ID=CC-DD-EE-FF-00-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777785, RequestLatency=16, Step=11001, Step=11017, Step=5236,", + "outcome": "success", + "sequence": 2000200009, + "timezone": "+00:00", + "type": [ + "allowed" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:18:00.900 +00:00 2000200009 5236 NOTICE Passed-Authentication: Authorize-Only succeeded, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50009, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=user12, NAS-IP-Address=192.0.2.52, NAS-Port=36, Service-Type=Authorize Only, Calling-Station-ID=CC-DD-EE-FF-00-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777785, RequestLatency=16, Step=11001, Step=11017, Step=5236,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.52", + "198.51.100.42" + ], + "user": [ + "user12" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user12" + ] + } + }, + { + "@timestamp": "2022-03-15T11:19:00.000Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777786" + } + }, + "calling_station": { + "id": "CC-DD-EE-FF-00-03" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50010" + }, + "message": { + "code": "5237", + "description": "Passed-Authentication: Device Registration Web Authentication Passed", + "id": "2000100010" + }, + "nas": { + "ip": "192.0.2.52", + "port": { + "number": 37, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device012", + "profile_id": "77777777-8888-9999-0000-111111111111" + } + }, + "request": { + "latency": 23 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5237" + ] + } + }, + "client": { + "ip": "192.0.2.52" + }, + "destination": { + "ip": "198.51.100.42", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "authentication" + ], + "code": "5237", + "kind": "event", + "original": "<181>Mar 15 11:19:00 host005 CISE_Passed_Authentications 2000100010 1 0 2022-03-15 11:19:00.000 +00:00 2000200010 5237 NOTICE Passed-Authentication: Device Registration Web Authentication Passed, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50010, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=user12, NAS-IP-Address=192.0.2.52, NAS-Port=37, Service-Type=Framed, Calling-Station-ID=CC-DD-EE-FF-00-03, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777786, RequestLatency=23, Step=11001, Step=11017, Step=5237,", + "outcome": "success", + "sequence": 2000200010, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:19:00.000 +00:00 2000200010 5237 NOTICE Passed-Authentication: Device Registration Web Authentication Passed, ConfigVersionId=80, Device IP Address=192.0.2.52, Device Port=50010, DestinationIPAddress=198.51.100.42, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device012, User-Name=user12, NAS-IP-Address=192.0.2.52, NAS-Port=37, Service-Type=Framed, Calling-Station-ID=CC-DD-EE-FF-00-03, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=77777777-8888-9999-0000-111111111111, AcsSessionID=host005/555555555/7777786, RequestLatency=23, Step=11001, Step=11017, Step=5237,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.52", + "198.51.100.42" + ], + "user": [ + "user12" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user12" + ] + } + }, + { + "@timestamp": "2022-03-15T11:20:00.100Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777787" + } + }, + "calling_station": { + "id": "DD-EE-FF-00-11-01" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50011" + }, + "message": { + "code": "5238", + "description": "Passed-Authentication: Endpoint authentication problem was fixed", + "id": "2000100011" + }, + "nas": { + "ip": "192.0.2.53", + "port": { + "number": 38, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device013", + "profile_id": "88888888-9999-0000-1111-222222222222" + } + }, + "request": { + "latency": 27 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5238" + ] + } + }, + "client": { + "ip": "192.0.2.53" + }, + "destination": { + "ip": "198.51.100.43", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "authentication" + ], + "code": "5238", + "kind": "event", + "original": "<181>Mar 15 11:20:00 host005 CISE_Passed_Authentications 2000100011 1 0 2022-03-15 11:20:00.100 +00:00 2000200011 5238 NOTICE Passed-Authentication: Endpoint authentication problem was fixed, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50011, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=38, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777787, RequestLatency=27, Step=11001, Step=11017, Step=5238,", + "outcome": "success", + "sequence": 2000200011, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:20:00.100 +00:00 2000200011 5238 NOTICE Passed-Authentication: Endpoint authentication problem was fixed, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50011, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=38, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-01, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777787, RequestLatency=27, Step=11001, Step=11017, Step=5238,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.53", + "198.51.100.43" + ], + "user": [ + "user13" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user13" + ] + } + }, + { + "@timestamp": "2022-03-15T11:21:00.200Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777788" + } + }, + "calling_station": { + "id": "DD-EE-FF-00-11-02" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "log_details": { + "Device Port": "50012" + }, + "message": { + "code": "5240", + "description": "Passed-Authentication: Previously rejected endpoint was released to continue authentications", + "id": "2000100012" + }, + "nas": { + "ip": "192.0.2.53", + "port": { + "number": 39, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device013", + "profile_id": "88888888-9999-0000-1111-222222222222" + } + }, + "request": { + "latency": 11 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5240" + ] + } + }, + "client": { + "ip": "192.0.2.53" + }, + "destination": { + "ip": "198.51.100.43", + "port": 1812 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "authentication" + ], + "code": "5240", + "kind": "event", + "original": "<181>Mar 15 11:21:00 host005 CISE_Passed_Authentications 2000100012 1 0 2022-03-15 11:21:00.200 +00:00 2000200012 5240 NOTICE Passed-Authentication: Previously rejected endpoint was released to continue authentications, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50012, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=39, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777788, RequestLatency=11, Step=11001, Step=11017, Step=5240,", + "outcome": "success", + "sequence": 2000200012, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:21:00.200 +00:00 2000200012 5240 NOTICE Passed-Authentication: Previously rejected endpoint was released to continue authentications, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50012, DestinationIPAddress=198.51.100.43, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=39, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-02, NAS-Port-Type=Wireless - IEEE 802.11, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777788, RequestLatency=11, Step=11001, Step=11017, Step=5240,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.53", + "198.51.100.43" + ], + "user": [ + "user13" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user13" + ] + } + }, + { + "@timestamp": "2022-03-15T11:22:00.300Z", + "cisco_ise": { + "log": { + "acs": { + "session": { + "id": "host005/555555555/7777789" + } + }, + "calling_station": { + "id": "DD-EE-FF-00-11-03" + }, + "category": { + "name": "CISE_Passed_Authentications" + }, + "config_version": { + "id": 80 + }, + "dtls_support": "Yes", + "log_details": { + "Device Port": "50013" + }, + "message": { + "code": "5241", + "description": "Passed-Authentication: RADIUS DTLS handshake succeeded", + "id": "2000100013" + }, + "nas": { + "ip": "192.0.2.53", + "port": { + "number": 40, + "type": "Wireless - IEEE 802.11" + } + }, + "network": { + "device": { + "name": "device013", + "profile_id": "88888888-9999-0000-1111-222222222222" + } + }, + "request": { + "latency": 65 + }, + "segment": { + "number": 0, + "total": 1 + }, + "service": { + "type": "Framed" + }, + "step": [ + "11001", + "11017", + "5241" + ] + } + }, + "client": { + "ip": "192.0.2.53" + }, + "destination": { + "ip": "198.51.100.43", + "port": 2083 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "passed-authentication", + "category": [ + "network" + ], + "code": "5241", + "kind": "event", + "original": "<181>Mar 15 11:22:00 host005 CISE_Passed_Authentications 2000100013 1 0 2022-03-15 11:22:00.300 +00:00 2000200013 5241 NOTICE Passed-Authentication: RADIUS DTLS handshake succeeded, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50013, DestinationIPAddress=198.51.100.43, DestinationPort=2083, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=40, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-03, NAS-Port-Type=Wireless - IEEE 802.11, DTLSSupport=Yes, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777789, RequestLatency=65, Step=11001, Step=11017, Step=5241,", + "outcome": "success", + "sequence": 2000200013, + "timezone": "+00:00", + "type": [ + "connection" + ] + }, + "host": { + "hostname": "host005" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2022-03-15 11:22:00.300 +00:00 2000200013 5241 NOTICE Passed-Authentication: RADIUS DTLS handshake succeeded, ConfigVersionId=80, Device IP Address=192.0.2.53, Device Port=50013, DestinationIPAddress=198.51.100.43, DestinationPort=2083, Protocol=Radius, NetworkDeviceName=device013, User-Name=user13, NAS-IP-Address=192.0.2.53, NAS-Port=40, Service-Type=Framed, Calling-Station-ID=DD-EE-FF-00-11-03, NAS-Port-Type=Wireless - IEEE 802.11, DTLSSupport=Yes, NetworkDeviceProfileId=88888888-9999-0000-1111-222222222222, AcsSessionID=host005/555555555/7777789, RequestLatency=65, Step=11001, Step=11017, Step=5241,", + "network": { + "protocol": "radius" + }, + "related": { + "hosts": [ + "host005" + ], + "ip": [ + "192.0.2.53", + "198.51.100.43" + ], + "user": [ + "user13" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": [ + "user13" + ] + } } ] } diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml index 7a250abaf81..10d3e66d311 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml @@ -61,11 +61,16 @@ processors: tag: lowercase_event_action_9334b869 field: event.action ignore_missing: true + - set: + tag: set_event_outcome_failure + field: event.outcome + value: failure + ignore_failure: true - append: tag: append_event_category_9c60edae field: event.category value: authentication - if: ctx.cisco_ise?.log?.message?.code != null && ['5405','5411','5418','5435','5400','5440'].contains(ctx.cisco_ise.log.message.code) + if: ctx.cisco_ise?.log?.message?.code != null && ['5400','5401','5405','5411','5412','5418','5423','5435','5440','5448'].contains(ctx.cisco_ise.log.message.code) ignore_failure: true - append: tag: append_event_category_ef7d974b @@ -77,13 +82,13 @@ processors: tag: append_event_type_2ee7aeee field: event.type value: info - if: ctx.cisco_ise?.log?.message?.code != null && ['5405','5411','5418','5435','5400','5440'].contains(ctx.cisco_ise.log.message.code) + if: ctx.cisco_ise?.log?.message?.code != null && ['5400','5401','5405','5411','5412','5418','5423','5435','5440','5448'].contains(ctx.cisco_ise.log.message.code) ignore_failure: true - append: tag: append_event_type_02b5178b field: event.type value: end - if: ctx.cisco_ise?.log?.message?.code != null && ['5405','5411','5418','5435'].contains(ctx.cisco_ise.log.message.code) + if: ctx.cisco_ise?.log?.message?.code != null && ['5405','5411','5435'].contains(ctx.cisco_ise.log.message.code) ignore_failure: true - append: tag: append_event_type_daec1823 @@ -91,6 +96,150 @@ processors: value: start if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5440' ignore_failure: true + - append: + tag: append_event_category_authentication_tacacs_denied + field: event.category + value: authentication + if: ctx.cisco_ise?.log?.message?.code != null && ['5402','5403','5407'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_network_tacacs_denied + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ['5402','5403','5407'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_type_denied_tacacs + field: event.type + value: denied + if: ctx.cisco_ise?.log?.message?.code != null && ['5402','5403','5407'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_authentication_tacacs_err + field: event.category + value: authentication + if: ctx.cisco_ise?.log?.message?.code != null && ['5408','5409','5410'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_network_tacacs_err + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ['5408','5409','5410'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_type_info_tacacs_err + field: event.type + value: info + if: ctx.cisco_ise?.log?.message?.code != null && ['5408','5409','5410'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_authentication_suppression + field: event.category + value: authentication + if: ctx.cisco_ise?.log?.message?.code != null && ['5449'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_type_end_suppression + field: event.type + value: end + if: ctx.cisco_ise?.log?.message?.code != null && ['5449'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_network_dropped_denied + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ['5406','5441','5442','5443'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_type_denied_network_dropped + field: event.type + value: denied + if: ctx.cisco_ise?.log?.message?.code != null && ['5406','5441','5442','5443'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_network_authz_fail + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ['5419','5422'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_type_denied_authz_fail + field: event.type + value: denied + if: ctx.cisco_ise?.log?.message?.code != null && ['5419','5422'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_network_info_fail + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ['5413','5414','5417','5420','5421','5434', '5436','5437','5438','5439'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_type_info_network_fail + field: event.type + value: info + if: ctx.cisco_ise?.log?.message?.code != null && ['5413','5414','5417','5420','5421','5434', '5436','5437','5438','5439'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_network_5416 + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5416' + ignore_failure: true + - append: + tag: append_event_type_end_5416 + field: event.type + value: end + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5416' + ignore_failure: true + - append: + tag: append_event_category_network_5450 + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5450' + ignore_failure: true + - append: + tag: append_event_type_connection_5450 + field: event.type + value: connection + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5450' + ignore_failure: true + - append: + tag: append_event_category_iam_5415 + field: event.category + value: iam + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5415' + ignore_failure: true + - append: + tag: append_event_type_user_5415 + field: event.type + value: user + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5415' + ignore_failure: true + - append: + tag: append_event_category_authentication_5451 + field: event.category + value: authentication + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5451' + ignore_failure: true + - append: + tag: append_event_type_end_5451 + field: event.type + value: end + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5451' + ignore_failure: true + - append: + tag: append_event_category_authentication_5452 + field: event.category + value: authentication + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5452' + ignore_failure: true + - append: + tag: append_event_type_info_5452 + field: event.type + value: info + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5452' + ignore_failure: true - kv: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac field: cisco_ise.log.log_details_raw diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml index 39a88ad8dd3..932d5c3b83c 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml @@ -65,13 +65,13 @@ processors: tag: append_authentication field: event.category value: authentication - if: ctx.cisco_ise?.log?.message?.code != null && ['5200','5231','5233','5239'].contains(ctx.cisco_ise.log.message.code) + if: ctx.cisco_ise?.log?.message?.code != null && ['5200','5201','5206','5231','5233','5235','5237','5238','5239','5240'].contains(ctx.cisco_ise.log.message.code) ignore_failure: true - set: tag: set_event_outcome_success field: event.outcome value: success - if: ctx.cisco_ise?.log?.message?.code != null && ['5200','5231','5233','5239'].contains(ctx.cisco_ise.log.message.code) + if: ctx.cisco_ise?.log?.message?.code != null && ['5200','5201','5206','5231','5233','5235','5237','5238','5239','5240'].contains(ctx.cisco_ise.log.message.code) ignore_failure: true - set: tag: set_event_outcome_failure @@ -83,7 +83,103 @@ processors: tag: append_event_type field: event.type value: info - if: ctx.cisco_ise?.log?.message?.code != null && ['5200','5231','5233','5239'].contains(ctx.cisco_ise.log.message.code) + if: ctx.cisco_ise?.log?.message?.code != null && ['5200','5201','5206','5231','5233','5235','5237','5238','5239','5240'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_authentication_tacacs_authz + field: event.category + value: authentication + if: ctx.cisco_ise?.log?.message?.code != null && ['5202','5203'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_network_tacacs_authz + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ['5202','5203'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_type_allowed_tacacs_authz + field: event.type + value: allowed + if: ctx.cisco_ise?.log?.message?.code != null && ['5202','5203'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - set: + tag: set_event_outcome_success_tacacs_authz + field: event.outcome + value: success + if: ctx.cisco_ise?.log?.message?.code != null && ['5202','5203'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_iam_5204 + field: event.category + value: iam + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5204' + ignore_failure: true + - append: + tag: append_event_type_user_5204 + field: event.type + value: user + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5204' + ignore_failure: true + - set: + tag: set_event_outcome_success_5204 + field: event.outcome + value: success + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5204' + ignore_failure: true + - append: + tag: append_event_category_network_5205 + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5205' + ignore_failure: true + - append: + tag: append_event_type_info_5205 + field: event.type + value: info + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5205' + ignore_failure: true + - set: + tag: set_event_outcome_success_5205 + field: event.outcome + value: success + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5205' + ignore_failure: true + - append: + tag: append_event_category_network_infra_success + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ['5232','5234','5236'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_type_allowed_infra_success + field: event.type + value: allowed + if: ctx.cisco_ise?.log?.message?.code != null && ['5232','5234','5236'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - set: + tag: set_event_outcome_success_infra + field: event.outcome + value: success + if: ctx.cisco_ise?.log?.message?.code != null && ['5232','5234','5236'].contains(ctx.cisco_ise.log.message.code) + ignore_failure: true + - append: + tag: append_event_category_network_5241 + field: event.category + value: network + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5241' + ignore_failure: true + - append: + tag: append_event_type_connection_5241 + field: event.type + value: connection + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5241' + ignore_failure: true + - set: + tag: set_event_outcome_success_5241 + field: event.outcome + value: success + if: ctx.cisco_ise?.log?.message?.code != null && ctx.cisco_ise.log.message.code == '5241' ignore_failure: true - kv: tag: kv_cisco_ise_log_log_details_raw_to_cisco_ise_log_log_details_dd59a8ac diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml index 86d18a2ea42..58f339fe5a0 100644 --- a/packages/cisco_ise/manifest.yml +++ b/packages/cisco_ise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ise title: Cisco ISE -version: "1.32.5" +version: "1.32.6" description: Collect logs from Cisco ISE with Elastic Agent. type: integration categories: