Missing fields from Cisco ISE evens

DomenicoFumarol · ‎02-13-2018

Hi All,
we deployed our Cisco ISE App, as well as the Add-On, following the installation guide but most of our dashboards are empty.
Looking at some searches like:

eventtype=cisco-ise-profiler
| stats count by EndpointMatchedPolicy EndpointMacAddress EndpointIPAddress NAS_Port_Id NAS_Port_Type DeviceRegistrationStatus
|format_field_names

we see that fields fields like NAS_Port_Id, NAS_Port_Type and DeviceRegistrationStatus don't exist in the events when we filter by eventtype=cisco-ise-profiler.

Is there anyone else experiencing the same?

Logs are sent directly via Syslog from ISE ( version 2.2.0.470) to our UF.

stboch · ‎02-15-2018

You probably might be the length issue with cisco's default syslog configuration.

Have your ISE administrator verify the maximum length settings. It should be set to 8192.
The other way to tell via the log is the numbering prior to the time. Example below.

CISE_Profiler 0006602215 1 0 2018-02-15 11:27:10.946

The number 1 means syslog 1 message the second number 0 means this is message id 0 (#1) counting from 0 if you see 3 1 this is likely the issue where the maximum length wasn't increased and splunk is receiving the messages broken into several messages.

http://docs.splunk.com/Documentation/AddOns/released/CiscoISE/ConfigureCiscoISEsystemlogging

Maximum Length 8192 Events will be broken if you use a smaller value.

Missing fields from Cisco ISE evens

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability