I have a Cisco VPN (not sure exactly which hardware) whose logs are forwarded to our Splunk server. It appears the username is redacted. All I see are asterisks. Is this something that can be changed on the VPN and how? Hopefully there is enough consistency between devices that the question can be answered. Thanks!
Snip below:
IP xx.xx.xx.xx
_raw Jun 26 10:23:31 xx.xx.xx.xx %ASA-6-113005: AAA user authentication Rejected : reason = Invalid password : server = xx.xx.xx.xx : user = ***** : user IP = xx.xx.xx.xx
_time 2014-06-26T10:23:31.000-0400
app
date_hour 10
date_mday 26
date_minute 23
date_month june
date_second 31
date_wday thursday
date_year 2014
date_zone local
eventtype
host xx.xx.xx.xx
ids_type
index main
linecount 1
pid
process %ASA-6-113005
product
punct __::_..._%--:_____:__=___:__=_..._:__=_*****_:___=
reason Invalid
server xx.xx.xx.xx
source syslog
sourcetype syslog
splunk_server xx.xx.xx
tag::eventtype
timeendpos 15
timestartpos 0
user *****
vendor
Best Answer
This is a Splunk issue and not a network issue. As you can see from my Splunk log of an invalid login attempt (non-LDAP though):
It shows the username in plaintext. The syslog ID is different because I do not have LDAP configured on my lab ASA.
The answers you seek will most likely be found in the Splunk manual as it will be as YLearn mentioned, in your splunk config files
This is an explanation (cisco.com) of the syslog ID you're seeing.