All Apps and Add-ons

Splunk ISE add on - no sourcetype=cisco:ise:syslog

Path Finder

Hello Team,

I have installed:

Splunk Add-on for Cisco Identity Services
Splunk for Cisco Identity Services (ISE)

I do received all syslogs from my ISE server, can see it with search host=1.2.3.4, but i do not have sourcetype: sourcetype=cisco:ise:syslog

My syslogs from ISE are of generic sourcetype=udp:514 (i have a lot of hosts sending udp/514 syslogs to splunk)

As a result my application/dashboard does not show any logs, i guess it's configured to search for "sourcetype=cisco:ise:syslog".

Question:
Should not the application ask me to configure that ? How to fix it, without breaking what i do have currently ?
Do i need to create manually that sourcetype ?
When going to sourcetypes i do not see it (the only sourcetype with string "cisco" is for asa), but when trying to create "cisco:ise:syslog" i do receive error that source type already exists.

Why ?

One more: i have clicked "Set up" for "Splunk Add-on for Cisco Identity Services" - but all the settings on that page are for remediation and pxgrid protocol - i do not need that. Just clicked save. I hope that i am not forced to konfigure pxgrid to have a basic ISE dashboard working ?
I have also checked i can see multiple event types which are related to ISE, but i do see only one search related to ISE:
"Lookup - Locations" - i guess it's not enough - is not it ?

Why ?

Thanks,

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi Teknet9,

Are you working with a single Splunk instance or a distributed environment? If distributed, could you please let me know where you installed the Splunk Add-on for Cisco ISE? Please note that installation of this add-on on both the search head and indexer (or heavy forwarder) is required in a distributed environment.
Please also note the following:
The Splunk Add-on for Cisco ISE automatically sets the source type for Cisco ISE records as cisco:ise:syslog, provided that ALL of the following are true:
- Your Splunk platform is consuming syslog data through a syslog aggregator, or directly
- You have configured your Cisco ISE devices to send logs via syslog to your aggregator, or directly to your Splunk platform instance
- The Cisco ISE records include sourcetype=syslog
If you have configured the Splunk platform to acquire your Cisco ISE log data in a different way, you should manually set the source type to cisco:ise:syslog at the input phase.

Hope it helps.
Thanks!

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi Teknet9,

Are you working with a single Splunk instance or a distributed environment? If distributed, could you please let me know where you installed the Splunk Add-on for Cisco ISE? Please note that installation of this add-on on both the search head and indexer (or heavy forwarder) is required in a distributed environment.
Please also note the following:
The Splunk Add-on for Cisco ISE automatically sets the source type for Cisco ISE records as cisco:ise:syslog, provided that ALL of the following are true:
- Your Splunk platform is consuming syslog data through a syslog aggregator, or directly
- You have configured your Cisco ISE devices to send logs via syslog to your aggregator, or directly to your Splunk platform instance
- The Cisco ISE records include sourcetype=syslog
If you have configured the Splunk platform to acquire your Cisco ISE log data in a different way, you should manually set the source type to cisco:ise:syslog at the input phase.

Hope it helps.
Thanks!

View solution in original post

0 Karma

Path Finder

Thank you hunters ! I did not satisfy the 3rd condition, i had default udp/514 data input without sorcetype selected. Once selected syslog, Splunk identifies ISE syslogs correctly and my dashboards are working fine, thanks a lot !

0 Karma

Explorer

Sourcetype is set on the inputs config. What's configured for the ISE data?

If the inputs is configured properly, may check this post, it's not the sourcetype that's the issue with the dashboards its the eventtype that was accidentally dropped.
https://answers.splunk.com/answers/425069/splunk-for-cisco-identity-services-ise-dashboards.html

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!