Hi there,

we have an issue regarding timestamps of events from cisco ISE.

Events come via syslog/UDP in the following form:

Jun 5 12:57:45 10.128.12.20 Jun 5 12:57:41 PRDO0001 CISE_Failed_Attempts 0000011272 1 0 2014-06-05 12:57:41.504 +01:00 0008339654 5400 NOTICE Failed-Attempt: Authentication failed, blabla blabla lots of other stuff

The event timestamp that is extracted by splunk is
Jun 5 12:57:45 - I guess that is the time the event was received via udp.

The correct timestamp would be
2014-06-05 12:57:41.504

The ISE app delivers a props.conf with the following settings:

[Cisco:ISE:Syslog]

SHOULD_LINEMERGE = false

DATETIME_CONFIG = /etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml

TIME_PREFIX = \d\s\d\s

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %Z

and

[syslog]

TRANSFORMS-cisco-ise = cisco-ise-sourcetyper

DATETIME_CONFIG = /etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml

MAX_TIMESTAMP_LOOKAHEAD = 300

The XML-file contains this (no xml allowed here, so just parts of it):

;define name="_datetimeCiscoISE" extract="year, month, day, hour, minute, second, subsecond, zone";

!-- Target TimeFormat: 2014-01-09 22:33:35.123 +00:00 --

;text;;![CDATA[(\d\d\d\d)-(\d\d)-(\d\d)\s(\d{2}):(\d{2}):(\d{2}).(\d{3})\s(\S+)\s]];;/text

All of this is out-of-the-box ISE app stuff, we changed nothing there.

So for me this looks like everything is configured the right way - nevertheless the timestamp is not extracted correctly.

As I just understand about half of this config I would be very grateful for any help regarding this.

Best,

Bernd