Cisco VPN – Logs Not Showing Username

I have a Cisco VPN (not sure exactly which hardware) whose logs are forwarded to our Splunk server. It appears the username is redacted. All I see are asterisks. Is this something that can be changed on the VPN and how? Hopefully there is enough consistency between devices that the question can be answered. Thanks!

Snip below:

IP  xx.xx.xx.xx
_raw    Jun 26 10:23:31 xx.xx.xx.xx %ASA-6-113005: AAA user authentication Rejected : reason = Invalid password : server = xx.xx.xx.xx : user = ***** : user IP = xx.xx.xx.xx   
_time   2014-06-26T10:23:31.000-0400    
app     
date_hour   10  
date_mday   26  
date_minute 23  
date_month  june    
date_second 31  
date_wday   thursday    
date_year   2014    
date_zone   local   
eventtype       
host    xx.xx.xx.xx 
ids_type        
index   main    
linecount   1   
pid     
process %ASA-6-113005   
product     
punct   __::_..._%--:_____:__=___:__=_..._:__=_*****_:___=  
reason  Invalid 
server  xx.xx.xx.xx 
source  syslog  
sourcetype  syslog  
splunk_server   xx.xx.xx    
tag::eventtype      
timeendpos  15  
timestartpos    0   
user    *****   
vendor

Best Answer

This is a Splunk issue and not a network issue. As you can see from my Splunk log of an invalid login attempt (non-LDAP though):

Jul  5 17:55:52 firewall.local %ASA-6-113015: AAA user 
  authentication Rejected : reason = Invalid password : local database : 
  user = legioxi

It shows the username in plaintext. The syslog ID is different because I do not have LDAP configured on my lab ASA.

The answers you seek will most likely be found in the Splunk manual as it will be as YLearn mentioned, in your splunk config files

This is an explanation (cisco.com) of the syslog ID you're seeing.

Best Answer

Related Solutions

Cisco 2960 Syslog – All logs not sent to Server

Cisco IPSec VPN is not working

Related Topic