All Apps and Add-ons

Join ISE events at index time

evelenke
Contributor

Hi Splunkers,

we are collecting ISE events in syslog before getting into Splunk. As a result they are devided like presented below (3 0, 3 1, 3 2) and some dashboards show no information as events should be presented as one (by id 0037542536) to correlate information for eventtypes:

Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 0 2017-11-20 01:28:06.932 0062948858 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=606, Device IP Address=, RequestLatency=3, NetworkDeviceName=, User-Name=, NAS-IP-Address=, NAS-Port=31961088, Service-Type=Framed, Framed-Protocol=PPP, Framed-IP-Address=, C...,#015    
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 1  cisco-av-pair=mdm-tlv=device-type=LENOVO 20CC, cisco-av-pair=audit-session-id=0a02010601e7b0, cisco-av-pair=mdm-tlv=device-platform-version=, cisco-av-pair=mdm-tlv=device-uid=B3ACF1C ...#015    
Nov 20 01:28:06 host CISE_RADIUS_Accounting 0037542536 3 2  Device Type=Device Type#All Device Types#VPN Gateway, Device OS=Device OS#Device OS, #015 

Could these events be joined at index time?
Does somebody have experience with getting ISE events in Splunk - should we reconfigure delivery with forwarder of TCP, or there may be solution with syslog with no customization of Add-on knowledge objects?

0 Karma
1 Solution

evelenke
Contributor

The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).

View solution in original post

0 Karma

evelenke
Contributor

The issue has been reolved with increasing the events' maximum length value on ISE side (up to 8192).

0 Karma

tomasmoser
Contributor

I downvoted this post because we have events larger than 8kb.

0 Karma

tomasmoser
Contributor

Hi,

Probably not enough. Our ISE engine logs events longer than 8192B. What do you suggest? I would very much like to hear Cisco ISE add-on developers' comment on this.

I am thinking about two things that can fix this somehow:
1. transaction + collect into summary index
2. add LINE_BREAKER to props.conf to "stitch" events into one during parse/index time.

Your thoughts?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...