Hi Splunkers,
we are collecting ISE events in syslog before getting into Splunk. As a result they are devided like presented below (3 0, 3 1, 3 2) and some dashboards show no information as events should be presented as one (by id 0037542536) to correlate information for eventtypes:
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 0 2017-11-20 01:28:06.932 0062948858 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=606, Device IP Address=, RequestLatency=3, NetworkDeviceName=, User-Name=, NAS-IP-Address=, NAS-Port=31961088, Service-Type=Framed, Framed-Protocol=PPP, Framed-IP-Address=, C...,#015
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 1 cisco-av-pair=mdm-tlv=device-type=LENOVO 20CC, cisco-av-pair=audit-session-id=0a02010601e7b0, cisco-av-pair=mdm-tlv=device-platform-version=, cisco-av-pair=mdm-tlv=device-uid=B3ACF1C ...#015
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 2 Device Type=Device Type#All Device Types#VPN Gateway, Device OS=Device OS#Device OS, #015
Could these events be joined at index time?
Does somebody have experience with getting ISE events in Splunk - should we reconfigure delivery with forwarder of TCP, or there may be solution with syslog with no customization of Add-on knowledge objects?
The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).
The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).
I downvoted this post because we have events larger than 8kb.
Hi,
Probably not enough. Our ISE engine logs events longer than 8192B. What do you suggest? I would very much like to hear Cisco ISE add-on developers' comment on this.
I am thinking about two things that can fix this somehow:
1. transaction + collect into summary index
2. add LINE_BREAKER to props.conf to "stitch" events into one during parse/index time.
Your thoughts?