All Apps and Add-ons

Join ISE events at index time

evelenke
Contributor

Hi Splunkers,

we are collecting ISE events in syslog before getting into Splunk. As a result they are devided like presented below (3 0, 3 1, 3 2) and some dashboards show no information as events should be presented as one (by id 0037542536) to correlate information for eventtypes:

Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 0 2017-11-20 01:28:06.932 0062948858 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=606, Device IP Address=, RequestLatency=3, NetworkDeviceName=, User-Name=, NAS-IP-Address=, NAS-Port=31961088, Service-Type=Framed, Framed-Protocol=PPP, Framed-IP-Address=, C...,#015    
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 1  cisco-av-pair=mdm-tlv=device-type=LENOVO 20CC, cisco-av-pair=audit-session-id=0a02010601e7b0, cisco-av-pair=mdm-tlv=device-platform-version=, cisco-av-pair=mdm-tlv=device-uid=B3ACF1C ...#015    
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 2  Device Type=Device Type#All Device Types#VPN Gateway, Device OS=Device OS#Device OS, #015 

Could these events be joined at index time?
Does somebody have experience with getting ISE events in Splunk - should we reconfigure delivery with forwarder of TCP, or there may be solution with syslog with no customization of Add-on knowledge objects?

0 Karma
1 Solution

evelenke
Contributor

The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).

View solution in original post

0 Karma

evelenke
Contributor

The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).

View solution in original post

0 Karma

tomasmoser
Contributor

I downvoted this post because we have events larger than 8kb.

0 Karma

tomasmoser
Contributor

Hi,

Probably not enough. Our ISE engine logs events longer than 8192B. What do you suggest? I would very much like to hear Cisco ISE add-on developers' comment on this.

I am thinking about two things that can fix this somehow:
1. transaction + collect into summary index
2. add LINE_BREAKER to props.conf to "stitch" events into one during parse/index time.

Your thoughts?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!