How do I create a weekly report showing SSH login failures?

Hi all - 

I've been trying to make a weekly report that shows a list of all TACACS usernames and their number of SSH login failures. Here's what I've tried so far, but think I'm heading down the wrong path:

  • LogAnalyzer Rule to identify 'login failure' and username in the syslog message
  • LogAnalyzer triggers a unique alert for each username (cumbersome I know)
  • The report then reads from Alert History and matches the username and 'login failure' to target the right alert

This report is to hopefully identify brute-force attempts against our TACACS+ service in ClearPass, so the report would like like this:

[timestamp]  [username_one_paul]  [device_one]  ["Login Failures:"]  [count of login failures]
[timestamp]  [username_one_paul]  [device_two]  ["Login Failures:"]  [count of login failures]
[timestamp]  [username_two_mike]  [device_one]  ["Login Failures:"]  [count of login failures] 
[timestamp]  [username_two_mike]  [device_two]  ["Login Failures:"]  [count of login failures]
...

I know we can aggregate the column fields by Count and Count (Distinct), but I fear that won't generate the results I'm looking for as described above.

If anybody has a clue on how to achieve what I'm talking about, any info is appreciated - thank you.

For info we are running HCO 2024.4.0.