Hi, thank you for suggestions but was not able to get it work. I can not "see" anything coming from stremstats
Here is event what would need to be seen and enrich of details from second log:
(<181>May 11 08:42:36 dced8103 CISE_Passed_Authentications 0012489025 1 0 2018-05-11 08:42:36.095 +00:00 0389728333 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=122, Device IP Address=10.1.1.10, DestinationIPAddress=10.2.2.10, DestinationPort=1812, UserName=email@email.com, Protocol=Radius, RequestLatency=15, NetworkDeviceName=name1111, User-Name=email@email.com, NAS-IP-Address=10.2.2.10, NAS-Port=1, Service-Type=Login, Framed-IP-Address=10.2.2.11, Called-Station-ID=00-a2-ee-3a-a5-e0:XXX, Calling-Station-ID=3c-95-09-70-3c-65, NAS-Identifier=name1111, Acct-Session-Id=5af556d1/3c:95:09:70:3c:65/2627630, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=audit-session-id=0a050284001424df5af556d1, Airespace-Wlan-Id=10, OriginalUserName=email@email.com, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=5, SSID=00-a2-ee-3a-a5-e0:XXX, AcsSessionID=dced8103/309714860/5273274, AuthenticationIdentityStore=Guest Users, AuthenticationMethod=PAP_ASCII, SelectedAccessService=YYY, SelectedAuthorizationProfiles=PermitAccess, IdentityGroup=User Identity Groups:ZZZ, IdentityGroup=Endpoint Identity Groups:Unknown, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24631, Step=24632, Step=22037, Step=24715, Step=15036, Step=15048, Step=15016, Step=22081, Step=22080, Step=11002, SelectedAuthenticationIdentityStores=Guest Users, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#XXX, NetworkDeviceGroups=Device Type#All Device Types#WLC, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=CCC, UserType=GuestUser, CPMSessionID=0a050284001424df5af556d1, EndPointMACAddress=3C-95-09-70-3C-65, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown, ISEPolicySetName=VVV, IdentitySelectionMatchedRule=Default, StepData=4= Normalised Radius.RadiusFlowType, StepData=5= Radius.Called-Station-ID, StepData=7=Guest Users, StepData=13= Network Access.AuthenticationStatus, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Unknown, Network Device Profile=Cisco, Location=Location#XXX, Device Type=Device Type#All Device Types#WLC, IPSEC=IPSEC#Is IPSEC Device#No, Response={State=ReauthSession:0a050284001424df5af556d1; Class=CACS:0a050284001424df5af556d1:dced8103/309714860/5273274; Session-Timeout=47783; Termination-Action=Default; cisco-av-pair=profile-name=Unknown; LicenseTypes=1; },)
2nd log from where details are needed (like sponsor user-id and email):
(<182>May 11 08:28:29 dced8203 CISE_Guest 0008327646 1 0 2018-05-11 08:28:29.059 +00:00 0261225873 86006 INFO Guest: Guest user account is created, ConfigVersionId=114, UserType=NON_GUEST, UserName=SPONSORE-USER, EmailAddress=sponsre@email.com, IpAddress=10.3.3.10, AuthenticationIdentityStore=domain.net, PortalName=NAME, IdentityGroup=S-1-5-21-160562036-3150058255-2134394716-594253, SponsorUser=SPONSORE-USER, PsnHostName=host.domain.net, GuestUserName=email@email.com, GuestFirstname=NAME, GuestLastname=LAST, GuestEmailAddress=email@email.com, GuestPhoneNumber=123456789, GuestCompanyname=COMP_NAME, GuestAuthenticationIdentityStore=Guest Users, GuestType=NAME, GuestValidDays=1, GuestFromDate=05/11/2018 08:25, GuestToDate=05/11/2018 21:59, GuestLocation=UTC+01:00 (Europe/Berlin), GuestStatus=ACTIVE,)
Serach string:
index=cisco_logs sourcetype="cisco:ise:syslog" (UserType=GuestUser OR MESSAGE_CLASS=guest)
| fields UserName src_mac SponsorUser GuestUserName UserType
| eval GuestUserName=coalesce(GuestUserName,UserName)
| eval RECTYPE=if(UserType="GuestUser",1,2)
| streamstats last(*) as * by GuestUserName
| where RECTYPE=1
THX!
... View more