It really depends on your deployment topology, but you can try installing the app on all core instances of splunk and enabling the visualizations on the Search Head. Also, make sure you have props. / transforms. configured to set the correct sourcetype=Cisco:ISE:Syslog

Hi,

In our company, we are also having the same issue. Using Splunk to collect the syslog from ISE, but no authentication information is collected.

And search the following information, it is missing as well.

eventtype=cisco-ise-failed-authentication
sourcetype=Cisco:ISE:Syslog auth

Can anyone help ?

The first thing to check is if the eventtype is returning information. Try this search:

eventtype=cisco-ise-failed-authentication

If this fails, then we probably have an eventtype definition issue. You can try running the following search that defines the eventteype:

sourcetype=Cisco:ISE:Syslog (MESSAGE_CODE=5400 OR MESSAGE_CODE=5401 OR MESSAGE_CODE=5402 OR MESSAGE_CODE=5403 OR MESSAGE_CODE=5404 OR MESSAGE_CODE=5405 OR MESSAGE_CODE=5406 OR MESSAGE_CODE=5407 OR MESSAGE_CODE=5431 OR MESSAGE_CODE=5435 OR MESSAGE_CODE=5436 OR MESSAGE_CODE=5437 OR MESSAGE_CODE=10006 OR MESSAGE_CODE=10007 OR MESSAGE_CODE=51000 OR MESSAGE_CODE=51004 OR MESSAGE_CODE=51005 OR MESSAGE_CODE=51006 OR MESSAGE_CODE=51007 OR MESSAGE_CODE=51008 OR MESSAGE_CODE=51009 OR MESSAGE_CODE=51020 OR MESSAGE_CODE=51021)