- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Cisco ISE Timestamp Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco ISE Timestamp Issue
Hi there,
we have an issue regarding timestamps of events from cisco ISE.
Events come via syslog/UDP in the following form:
Jun 5 12:57:45 10.128.12.20 Jun 5 12:57:41 PRDO0001 CISE_Failed_Attempts 0000011272 1 0 2014-06-05 12:57:41.504 +01:00 0008339654 5400 NOTICE Failed-Attempt: Authentication failed, blabla blabla lots of other stuff
The event timestamp that is extracted by splunk is
Jun 5 12:57:45 - I guess that is the time the event was received via udp.
The correct timestamp would be
2014-06-05 12:57:41.504
The ISE app delivers a props.conf with the following settings:
[Cisco:ISE:Syslog]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = /etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml
TIME_PREFIX = \d\s\d\s
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %Z
and
[syslog]
TRANSFORMS-cisco-ise = cisco-ise-sourcetyper
DATETIME_CONFIG = /etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml
MAX_TIMESTAMP_LOOKAHEAD = 300
The XML-file contains this (no xml allowed here, so just parts of it):
;define name="_datetimeCiscoISE" extract="year, month, day, hour, minute, second, subsecond, zone";
!-- Target TimeFormat: 2014-01-09 22:33:35.123 +00:00 --
;text;;![CDATA[(\d\d\d\d)-(\d\d)-(\d\d)\s(\d{2}):(\d{2}):(\d{2}).(\d{3})\s(\S+)\s]];;/text
All of this is out-of-the-box ISE app stuff, we changed nothing there.
So for me this looks like everything is configured the right way - nevertheless the timestamp is not extracted correctly.
As I just understand about half of this config I would be very grateful for any help regarding this.
Best,
Bernd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there - solved it.
I changed the timestamp configuration in props.conf to:
[Cisco:ISE:Syslog]
MAX_TIMESTAMP_LOOKAHEAD=300
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_PREFIX=CISE
Best,
Bernd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! It appears that I'm facing the same issue as you. Well almost. My problem is that I want the event to break when it hits a new line containing the timestamp for the creation time, and not for each line containing the receive time (which is the default). Also I want the events to get the timestamp of the creation time. Is that what you managed with your props.conf configuration?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tsomod, could you please make a new question and give an example of the events so we can help you out ?
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
