Hi all -
I've been trying to make a weekly report that shows a list of all TACACS usernames and their number of SSH login failures. Here's what I've tried so far, but think I'm heading down the wrong path:
- LogAnalyzer Rule to identify 'login failure' and username in the syslog message
- LogAnalyzer triggers a unique alert for each username (cumbersome I know)
- The report then reads from Alert History and matches the username and 'login failure' to target the right alert
This report is to hopefully identify brute-force attempts against our TACACS+ service in ClearPass, so the report would like like this:
[timestamp] [username_one_paul] [device_one] ["Login Failures:"] [count of login failures]
[timestamp] [username_one_paul] [device_two] ["Login Failures:"] [count of login failures]
[timestamp] [username_two_mike] [device_one] ["Login Failures:"] [count of login failures]
[timestamp] [username_two_mike] [device_two] ["Login Failures:"] [count of login failures]
...
I know we can aggregate the column fields by Count and Count (Distinct), but I fear that won't generate the results I'm looking for as described above.
If anybody has a clue on how to achieve what I'm talking about, any info is appreciated - thank you.
For info we are running HCO 2024.4.0.