All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing fields from Cisco ISE evens

DomenicoFumarol
Explorer
‎02-13-2018 01:50 AM

Hi All,
we deployed our Cisco ISE App, as well as the Add-On, following the installation guide but most of our dashboards are empty.
Looking at some searches like:

eventtype=cisco-ise-profiler
| stats count by EndpointMatchedPolicy EndpointMacAddress EndpointIPAddress NAS_Port_Id NAS_Port_Type DeviceRegistrationStatus
|format_field_names

we see that fields fields like NAS_Port_Id, NAS_Port_Type and DeviceRegistrationStatus don't exist in the events when we filter by eventtype=cisco-ise-profiler.

Is there anyone else experiencing the same?

Logs are sent directly via Syslog from ISE ( version 2.2.0.470) to our UF.

0 Karma
Reply

stboch
SplunkTrust
SplunkTrust
‎02-15-2018 08:33 AM

You probably might be the length issue with cisco's default syslog configuration.

Have your ISE administrator verify the maximum length settings. It should be set to 8192.
The other way to tell via the log is the numbering prior to the time. Example below.

CISE_Profiler 0006602215 1 0 2018-02-15 11:27:10.946

The number 1 means syslog 1 message the second number 0 means this is message id 0 (#1) counting from 0 if you see 3 1 this is likely the issue where the maximum length wasn't increased and splunk is receiving the messages broken into several messages.

http://docs.splunk.com/Documentation/AddOns/released/CiscoISE/ConfigureCiscoISEsystemlogging

Maximum Length 8192 Events will be broken if you use a smaller value.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...