We have some data showing from the Cisco ISE app which looks good.
However, we are not see any of the authentications in Splunk. Is there a configuration setting we may be missing?
Thanks.
One thing you might want to confirm is that ISE logging is configured to send these messages to Splunk. If they are never sent by ISE, then there's nothing for Splunk to index.
It really depends on your deployment topology, but you can try installing the app on all core instances of splunk and enabling the visualizations on the Search Head. Also, make sure you have props. / transforms. configured to set the correct sourcetype=Cisco:ISE:Syslog
Hi,
In our company, we are also having the same issue. Using Splunk to collect the syslog from ISE, but no authentication information is collected.
And search the following information, it is missing as well.
eventtype=cisco-ise-failed-authentication
sourcetype=Cisco:ISE:Syslog auth
Can anyone help ?
The first thing to check is if the eventtype is returning information. Try this search:
eventtype=cisco-ise-failed-authentication
If this fails, then we probably have an eventtype definition issue. You can try running the following search that defines the eventteype:
sourcetype=Cisco:ISE:Syslog (MESSAGE_CODE=5400 OR MESSAGE_CODE=5401 OR MESSAGE_CODE=5402 OR MESSAGE_CODE=5403 OR MESSAGE_CODE=5404 OR MESSAGE_CODE=5405 OR MESSAGE_CODE=5406 OR MESSAGE_CODE=5407 OR MESSAGE_CODE=5431 OR MESSAGE_CODE=5435 OR MESSAGE_CODE=5436 OR MESSAGE_CODE=5437 OR MESSAGE_CODE=10006 OR MESSAGE_CODE=10007 OR MESSAGE_CODE=51000 OR MESSAGE_CODE=51004 OR MESSAGE_CODE=51005 OR MESSAGE_CODE=51006 OR MESSAGE_CODE=51007 OR MESSAGE_CODE=51008 OR MESSAGE_CODE=51009 OR MESSAGE_CODE=51020 OR MESSAGE_CODE=51021)
Do you get anything with the following search?
sourcetype=Cisco:ISE:Syslog *auth*
Jason, we have tried these searches but they do not return any results. Is there a config we are missing on the ISE side?