Hi Splunkers,
we are collecting ISE events in syslog before getting into Splunk. As a result they are devided like presented below (3 0, 3 1, 3 2) and some dashboards show no information as events should be presented as one (by id 0037542536) to correlate information for eventtypes:
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 0 2017-11-20 01:28:06.932 0062948858 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=606, Device IP Address=, RequestLatency=3, NetworkDeviceName=, User-Name=, NAS-IP-Address=, NAS-Port=31961088, Service-Type=Framed, Framed-Protocol=PPP, Framed-IP-Address=, C...,#015
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 1 cisco-av-pair=mdm-tlv=device-type=LENOVO 20CC, cisco-av-pair=audit-session-id=0a02010601e7b0, cisco-av-pair=mdm-tlv=device-platform-version=, cisco-av-pair=mdm-tlv=device-uid=B3ACF1C ...#015
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 2 Device Type=Device Type#All Device Types#VPN Gateway, Device OS=Device OS#Device OS, #015
Could these events be joined at index time?
Does somebody have experience with getting ISE events in Splunk - should we reconfigure delivery with forwarder of TCP, or there may be solution with syslog with no customization of Add-on knowledge objects?
... View more