I'm facing two issues because of lack proper support for CIM compliance.
1) Field `user` is not properly extracted. App provides two aliases for fields `User_Name` and `UserName`. But I found also fields: `User` and `AdminUser`.
2) At the moment I'm observing a lot of `action = unknown` (on datamodel level) for the events with _FailureReason="13017 Received TACACS+ packet from unknown Network Device or AAA Client"_. I think it should be marked with `action = failure`.
Jul 31 14:59:44 HOSTNAME CISE_Failed_Attempts 0000109068 1 0 2019-07-31 14:59:44.687 +09:00 0000518034 5406 NOTICE Failed-Attempt: TACACS+ Request dropped, ConfigVersionId=1054, Device IP Address=dead::beef, Device Port=58388, DestinationIPAddress=dead:beef::2, DestinationPort=49, Protocol=Tacacs, FailureReason=13017 Received TACACS+ packet from unknown Network Device or AAA Client, Step=13017,
↧