- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Cisco ISE -> New line in Syslog -> Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco ISE -> New line in Syslog -> Splunk
Hi
We have Cisco ISE that sends log to our Splunk using rsyslog as a receiver for TCP Syslog.
Problem are that some of the message from ISE pics up using LLDP information from our switchs and accesspoint these line and add them to the syslog message.
This info can bee seen on the device as well with show version.
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Mon 10-Dec-18 11:34 by mcpre
When this is added to the ISE log message it contains new line, so the log message are broken up when rsyslog writs it to the disk for Splunk to read.
1st part
<181> CISE_RADIUS_Accounting 0015021690 1 0 2021-03-01 09:36:46.766 +01:00 0376002501 3002 NOTICE Radius-Accounting: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AP Software\, ap3g3-k9w8 Version: 8.10.130.0\
2 end part
<13> Support: http://www.cisco.com/techsupport\
3rd part
<13> (c) 1986-2020 by Cisco Systems\, Inc.\
4th part
<13> Wed Jul 29 00:28:31 PDT 2020 by aut, cisco-av-pair=lldp-tlv=lldpSystemName=SW-14, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Network Device Profile=Cisco, Location=Location#All Locations#OTT#StokholmSH, Device Type=Device Type#All Device Types#Switch#DynamiskNett, #015
I can join these message using transaction but not a good solution.
<181> CISE_RADIUS_Accounting 0015021690 1 0 2020-03-01 09:36:46.766 +01:00 0376002501 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=261, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, cisco-av-pair=lldp-tlv=lldpSystemDescription=Cisco AP Software\, ap3g3-k9w8 Version: 8.10.130.0\
<13> Support: http://www.cisco.com/techsupport\
<13> (c) 1986-2020 by Cisco Systems\, Inc.\
<13> Wed Jul 29 00:28:31 PDT 2020 by aut, cisco-av-pair=lldp-tlv=lldpSystemName=sw-14, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Type=Device Type#All Device Types#Switch#DynamiskNett, #015
What I can see from this is that each message that comes from ISE are separated by new line.
ISE escapes the newline from code within the message, but rsyslog ignore the escape \
From message above you see that all message that ends with \ should continue and #015 is the final end of the message.
Can I somehow change the rsyslog to replace escape newline with comma or other character ?
Or do I need to receive the data using phyton, change the escape newline and send it to syslog?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
