All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Missing fields from Cisco ISE evens

DomenicoFumarol
Explorer
‎02-13-2018 01:50 AM

Hi All,
we deployed our Cisco ISE App, as well as the Add-On, following the installation guide but most of our dashboards are empty.
Looking at some searches like:

eventtype=cisco-ise-profiler
| stats count by EndpointMatchedPolicy EndpointMacAddress EndpointIPAddress NAS_Port_Id NAS_Port_Type DeviceRegistrationStatus
|format_field_names

we see that fields fields like NAS_Port_Id, NAS_Port_Type and DeviceRegistrationStatus don't exist in the events when we filter by eventtype=cisco-ise-profiler.

Is there anyone else experiencing the same?

Logs are sent directly via Syslog from ISE ( version 2.2.0.470) to our UF.

0 Karma
Reply

stboch
SplunkTrust
SplunkTrust
‎02-15-2018 08:33 AM

You probably might be the length issue with cisco's default syslog configuration.

Have your ISE administrator verify the maximum length settings. It should be set to 8192.
The other way to tell via the log is the numbering prior to the time. Example below.

CISE_Profiler 0006602215 1 0 2018-02-15 11:27:10.946

The number 1 means syslog 1 message the second number 0 means this is message id 0 (#1) counting from 0 if you see 3 1 this is likely the issue where the maximum length wasn't increased and splunk is receiving the messages broken into several messages.

http://docs.splunk.com/Documentation/AddOns/released/CiscoISE/ConfigureCiscoISEsystemlogging

Maximum Length 8192 Events will be broken if you use a smaller value.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...