All Apps and Add-ons

Cisco ISE Timestamp Issue

bleinfelder
Path Finder

Hi there,

we have an issue regarding timestamps of events from cisco ISE.

Events come via syslog/UDP in the following form:

Jun 5 12:57:45 10.128.12.20 Jun 5 12:57:41 PRDO0001 CISE_Failed_Attempts 0000011272 1 0 2014-06-05 12:57:41.504 +01:00 0008339654 5400 NOTICE Failed-Attempt: Authentication failed, blabla blabla lots of other stuff

The event timestamp that is extracted by splunk is
Jun 5 12:57:45 - I guess that is the time the event was received via udp.

The correct timestamp would be
2014-06-05 12:57:41.504

The ISE app delivers a props.conf with the following settings:

[Cisco:ISE:Syslog]

SHOULD_LINEMERGE = false

DATETIME_CONFIG = /etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml

TIME_PREFIX = \d\s\d\s

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %Z

and

[syslog]

TRANSFORMS-cisco-ise = cisco-ise-sourcetyper

DATETIME_CONFIG = /etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml

MAX_TIMESTAMP_LOOKAHEAD = 300

The XML-file contains this (no xml allowed here, so just parts of it):

;define name="_datetimeCiscoISE" extract="year, month, day, hour, minute, second, subsecond, zone";

!-- Target TimeFormat: 2014-01-09 22:33:35.123 +00:00 --

;text;;![CDATA[(\d\d\d\d)-(\d\d)-(\d\d)\s(\d{2}):(\d{2}):(\d{2}).(\d{3})\s(\S+)\s]];;/text






All of this is out-of-the-box ISE app stuff, we changed nothing there.

So for me this looks like everything is configured the right way - nevertheless the timestamp is not extracted correctly.

As I just understand about half of this config I would be very grateful for any help regarding this.

Best,

Bernd

0 Karma

bleinfelder
Path Finder

Hi there - solved it.

I changed the timestamp configuration in props.conf to:

[Cisco:ISE:Syslog]

MAX_TIMESTAMP_LOOKAHEAD=300

NO_BINARY_CHECK=1

SHOULD_LINEMERGE=false

TIME_PREFIX=CISE

Best,

Bernd

0 Karma

tsomod
Path Finder

Hi! It appears that I'm facing the same issue as you. Well almost. My problem is that I want the event to break when it hits a new line containing the timestamp for the creation time, and not for each line containing the receive time (which is the default). Also I want the events to get the timestamp of the creation time. Is that what you managed with your props.conf configuration?

0 Karma

DavidHourani
Super Champion

Hi @tsomod, could you please make a new question and give an example of the events so we can help you out ?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...