Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Join ISE events at index time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers,
we are collecting ISE events in syslog before getting into Splunk. As a result they are devided like presented below (3 0, 3 1, 3 2) and some dashboards show no information as events should be presented as one (by id 0037542536) to correlate information for eventtypes:
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 0 2017-11-20 01:28:06.932 0062948858 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=606, Device IP Address=, RequestLatency=3, NetworkDeviceName=, User-Name=, NAS-IP-Address=, NAS-Port=31961088, Service-Type=Framed, Framed-Protocol=PPP, Framed-IP-Address=, C...,#015
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 1 cisco-av-pair=mdm-tlv=device-type=LENOVO 20CC, cisco-av-pair=audit-session-id=0a02010601e7b0, cisco-av-pair=mdm-tlv=device-platform-version=, cisco-av-pair=mdm-tlv=device-uid=B3ACF1C ...#015
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 2 Device Type=Device Type#All Device Types#VPN Gateway, Device OS=Device OS#Device OS, #015
Could these events be joined at index time?
Does somebody have experience with getting ISE events in Splunk - should we reconfigure delivery with forwarder of TCP, or there may be solution with syslog with no customization of Add-on knowledge objects?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because we have events larger than 8kb.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Probably not enough. Our ISE engine logs events longer than 8192B. What do you suggest? I would very much like to hear Cisco ISE add-on developers' comment on this.
I am thinking about two things that can fix this somehow:
1. transaction + collect into summary index
2. add LINE_BREAKER to props.conf to "stitch" events into one during parse/index time.
Your thoughts?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
