Video Screencast Help

Need Help on SSIM queries

Created: 25 Apr 2008 • Updated: 23 May 2010 | 4 comments
I am trying to write a query to calculate login failure event counts on Cisco devices. But I cant find any parameter on basis of which I can use the filters.
Anyone having any idea on this...Please revert.

Comments 4 CommentsJump to latest comment

MegL's picture
Cisco devices?  Depending on what you want, you want a mechanism of login and outcome of failed.  You can then filter by product id, or by logging product or by ip, depending on how granular you want the query to be.  I can't tell if you mean "login failed BY device TYPE" or "login failed ON EACH DEVICE" because thats two different things.
neil.enigma's picture
Hi Meg,
Thnx for the reply...
Cisco devices means the Cisco Routers and switches. I want to calculate the number of login failures on those devices. As the authentication for those devices is done by Cisco secure access server, the events at Cisco secure access event collector contains the information of Source IP & name only... not any kind of Destination information. But I want "Login fail count on Each Device(i.e. Routers n Switches)" for which i need "Login_device_IP" information to apply respective filter.
fromthedepths's picture


Syslog messages included in ACS have the following format:

<n> mmm dd hh:mm:ss XX:XX:XX:XX TAG  msg_id total_seg seg# A1=V1

The elements of the message are:

n—The Priority value of the message; it is a combination of facility and severity of the syslog message, which is calculated according to RFC 3164, by first multiplying the facility value by 8 and then adding the severity value.

mmm dd hh:mm:ss—Date and time of the message.

XX:XX:XX:XX—IP Address of the machine generating this syslog message.

TAG—One of the following values, depending on the application name.

CisACS_01_PassedAuth—Cisco ACS passed authentications.

CisACS_02_FailedAuth—Cisco ACS failed attempts.

CisACS_03_RADIUSAcc—Cisco ACS RADIUS accounting.

CisACS_04_TACACSAcc—Cisco ACS TACACS+ accounting.

CisACS_05_TACACSAdmin—Cisco ACS TACACS+ administration.

CisACS_06_VoIPAcc—Cisco ACS VoIP accounting.

CisACS_11_BackRestore—ACS backup and restore log messages.

CisACS_12_Replication—ACS database replication log messages.

CisACS_13_AdminAudit—ACS administration audit log messages.

CisACS_14_PassChanges—ACS user password changes log messages.

CisACS_15_ServiceMon—ACS service monitoring log messages.

CisACS_16_ApplAdmin—ACS appliance administration audit log messages.

msg_id —Unique message id. All segments of one message share the same message ID.

total_seg —Total number of segments in this message.

seg# -Segment sequence number within this message segmentation.

A1=V1—Attribute-value pairs delimited by a comma (,) for Cisco ACS log messages and the message itself.

Write a query based on the TAG ID and this should facilitate what you are looking long as you have your logging level set accordingly.

Derek Chamorro

Message Edited by fromthedepths on 06-09-2008 10:58 AM

antilles's picture


Currently, Cisco ACS collector is based on LogFile sensor and not Syslog sensor. Log format which are used in ACS log files is different than format of syslog message, so if you want to gather ACS logs via syslog, you have to build a new collector based on syslog sensor and prepare different translation rules.


Message Edited by antilles on 06-10-2008 03:26 PM