All Apps and Add-ons

Join ISE events at index time

evelenke
Contributor

Hi Splunkers,

we are collecting ISE events in syslog before getting into Splunk. As a result they are devided like presented below (3 0, 3 1, 3 2) and some dashboards show no information as events should be presented as one (by id 0037542536) to correlate information for eventtypes:

Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 0 2017-11-20 01:28:06.932 0062948858 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=606, Device IP Address=, RequestLatency=3, NetworkDeviceName=, User-Name=, NAS-IP-Address=, NAS-Port=31961088, Service-Type=Framed, Framed-Protocol=PPP, Framed-IP-Address=, C...,#015    
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 1  cisco-av-pair=mdm-tlv=device-type=LENOVO 20CC, cisco-av-pair=audit-session-id=0a02010601e7b0, cisco-av-pair=mdm-tlv=device-platform-version=, cisco-av-pair=mdm-tlv=device-uid=B3ACF1C ...#015    
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 2  Device Type=Device Type#All Device Types#VPN Gateway, Device OS=Device OS#Device OS, #015 

Could these events be joined at index time?
Does somebody have experience with getting ISE events in Splunk - should we reconfigure delivery with forwarder of TCP, or there may be solution with syslog with no customization of Add-on knowledge objects?

0 Karma
1 Solution

evelenke
Contributor

The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).

View solution in original post

0 Karma

evelenke
Contributor

The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).

0 Karma

tomasmoser
Contributor

I downvoted this post because we have events larger than 8kb.

0 Karma

tomasmoser
Contributor

Hi,

Probably not enough. Our ISE engine logs events longer than 8192B. What do you suggest? I would very much like to hear Cisco ISE add-on developers' comment on this.

I am thinking about two things that can fix this somehow:
1. transaction + collect into summary index
2. add LINE_BREAKER to props.conf to "stitch" events into one during parse/index time.

Your thoughts?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...