topic Re: Cisco ISE Timestamp Issue in All Apps and Add-ons

Cisco ISE Timestamp Issue

bleinfelder — Mon, 28 Sep 2020 16:48:04 GMT

Hi there,

we have an issue regarding timestamps of events from cisco ISE.

Events come via syslog/UDP in the following form:

Jun 5 12:57:45 10.128.12.20 Jun 5 12:57:41 PRDO0001 CISE_Failed_Attempts 0000011272 1 0 2014-06-05 12:57:41.504 +01:00 0008339654 5400 NOTICE Failed-Attempt: Authentication failed, blabla blabla lots of other stuff

The event timestamp that is extracted by splunk is
Jun 5 12:57:45 - I guess that is the time the event was received via udp.

The correct timestamp would be
2014-06-05 12:57:41.504

The ISE app delivers a props.conf with the following settings:

[Cisco:ISE:Syslog]

SHOULD_LINEMERGE = false

DATETIME_CONFIG = /etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml

TIME_PREFIX = \d\s\d\s

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %Z

and

[syslog]

TRANSFORMS-cisco-ise = cisco-ise-sourcetyper

DATETIME_CONFIG = /etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml

MAX_TIMESTAMP_LOOKAHEAD = 300

The XML-file contains this (no xml allowed here, so just parts of it):

;define name="_datetimeCiscoISE" extract="year, month, day, hour, minute, second, subsecond, zone";

!-- Target TimeFormat: 2014-01-09 22:33:35.123 +00:00 --

;text;;![CDATA[(\d\d\d\d)-(\d\d)-(\d\d)\s(\d{2}):(\d{2}):(\d{2}).(\d{3})\s(\S+)\s]];;/text

All of this is out-of-the-box ISE app stuff, we changed nothing there.

So for me this looks like everything is configured the right way - nevertheless the timestamp is not extracted correctly.

As I just understand about half of this config I would be very grateful for any help regarding this.

Best,

Bernd

Re: Cisco ISE Timestamp Issue

bleinfelder — Mon, 28 Sep 2020 16:48:30 GMT

Hi there - solved it.

I changed the timestamp configuration in props.conf to:

[Cisco:ISE:Syslog]

MAX_TIMESTAMP_LOOKAHEAD=300

NO_BINARY_CHECK=1

SHOULD_LINEMERGE=false

TIME_PREFIX=CISE

Best,

Bernd

Re: Cisco ISE Timestamp Issue

tsomod — Thu, 02 May 2019 08:38:22 GMT

Hi! It appears that I'm facing the same issue as you. Well almost. My problem is that I want the event to break when it hits a new line containing the timestamp for the creation time, and not for each line containing the receive time (which is the default). Also I want the events to get the timestamp of the creation time. Is that what you managed with your props.conf configuration?

Re: Cisco ISE Timestamp Issue

DavidHourani — Thu, 02 May 2019 09:15:55 GMT

Hi @tsomod, could you please make a new question and give an example of the events so we can help you out ?