All Apps and Add-ons

Splunk ISE add on - no sourcetype=cisco:ise:syslog

teknet9
Path Finder

Hello Team,

I have installed:

Splunk Add-on for Cisco Identity Services
Splunk for Cisco Identity Services (ISE)

I do received all syslogs from my ISE server, can see it with search host=1.2.3.4, but i do not have sourcetype: sourcetype=cisco:ise:syslog

My syslogs from ISE are of generic sourcetype=udp:514 (i have a lot of hosts sending udp/514 syslogs to splunk)

As a result my application/dashboard does not show any logs, i guess it's configured to search for "sourcetype=cisco:ise:syslog".

Question:
Should not the application ask me to configure that ? How to fix it, without breaking what i do have currently ?
Do i need to create manually that sourcetype ?
When going to sourcetypes i do not see it (the only sourcetype with string "cisco" is for asa), but when trying to create "cisco:ise:syslog" i do receive error that source type already exists.

Why ?

One more: i have clicked "Set up" for "Splunk Add-on for Cisco Identity Services" - but all the settings on that page are for remediation and pxgrid protocol - i do not need that. Just clicked save. I hope that i am not forced to konfigure pxgrid to have a basic ISE dashboard working ?
I have also checked i can see multiple event types which are related to ISE, but i do see only one search related to ISE:
"Lookup - Locations" - i guess it's not enough - is not it ?

Why ?

Thanks,

0 Karma
1 Solution

hunters_splunk
Splunk Employee
Splunk Employee

Hi Teknet9,

Are you working with a single Splunk instance or a distributed environment? If distributed, could you please let me know where you installed the Splunk Add-on for Cisco ISE? Please note that installation of this add-on on both the search head and indexer (or heavy forwarder) is required in a distributed environment.
Please also note the following:
The Splunk Add-on for Cisco ISE automatically sets the source type for Cisco ISE records as cisco:ise:syslog, provided that ALL of the following are true:
- Your Splunk platform is consuming syslog data through a syslog aggregator, or directly
- You have configured your Cisco ISE devices to send logs via syslog to your aggregator, or directly to your Splunk platform instance
- The Cisco ISE records include sourcetype=syslog
If you have configured the Splunk platform to acquire your Cisco ISE log data in a different way, you should manually set the source type to cisco:ise:syslog at the input phase.

Hope it helps.
Thanks!

View solution in original post

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi Teknet9,

Are you working with a single Splunk instance or a distributed environment? If distributed, could you please let me know where you installed the Splunk Add-on for Cisco ISE? Please note that installation of this add-on on both the search head and indexer (or heavy forwarder) is required in a distributed environment.
Please also note the following:
The Splunk Add-on for Cisco ISE automatically sets the source type for Cisco ISE records as cisco:ise:syslog, provided that ALL of the following are true:
- Your Splunk platform is consuming syslog data through a syslog aggregator, or directly
- You have configured your Cisco ISE devices to send logs via syslog to your aggregator, or directly to your Splunk platform instance
- The Cisco ISE records include sourcetype=syslog
If you have configured the Splunk platform to acquire your Cisco ISE log data in a different way, you should manually set the source type to cisco:ise:syslog at the input phase.

Hope it helps.
Thanks!

0 Karma

teknet9
Path Finder

Thank you hunters ! I did not satisfy the 3rd condition, i had default udp/514 data input without sorcetype selected. Once selected syslog, Splunk identifies ISE syslogs correctly and my dashboards are working fine, thanks a lot !

0 Karma

dw385
Explorer

Sourcetype is set on the inputs config. What's configured for the ISE data?

If the inputs is configured properly, may check this post, it's not the sourcetype that's the issue with the dashboards its the eventtype that was accidentally dropped.
https://answers.splunk.com/answers/425069/splunk-for-cisco-identity-services-ise-dashboards.html

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...