cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4064
Views
7
Helpful
1
Comments
Timothy Abbott
Cisco Employee
Cisco Employee

 

Intro

The syslog providers in ISE-PIC or ISE have several predefined syslog templates for popular network services that are commonly used in enterprise networks. If your network service is not listed as one of the predefined templates and you would like to use it for identity information, you can create your own syslog header parser and template. All you will need is an example syslog message from the provider.  In this example, I will use the following syslog example to create a custom header and template:

 

<181>May 19 15:14:08 EST sys_server Passed-Authentication 000011 1 0 2013-04-01 14:06:05 info ah auth: mac 1cab:a7e6:cf7f ip 10.5.50.52 username astrong

Syslog Providers

To begin, navigate to Providers -> Syslog Providers in ISE-PIC (or in ISE, Work Centers / PassiveID / Providers / Syslog Providers):

Screenshot 2023-12-20 at 15.45.52.png

Syslog Header

ISE-PIC or ISE reads the header in each syslog received and looks for the host in the location where the host should be, according to RFC 5424 / section-6 or, if configured, in the location configured in the custom header; if it cannot locate the host field, it will drop the event. By default, ISE separates each syslog header by space characters and looks for the host field at the first or the fourth position. If the host is not found as evident by "... Received unknown syslog message format. ..." in passiveid-syslog.log after PassiveID enabled in DEBUG, please create the custom header. To create a customer header click the "Customer Header" button:

Screenshot 2023-12-20 at 15.53.07.png

Paste the example syslog message that you collected from the network service you want to use and paste it into the window:

At this point we need to correctly identify the hostname of the network service that is sending the syslog message to ISE-PIC.  To do that, we have to indicate the separator and the postition of the hostname in the message. In my example it is 5 positions into the message and each position is separated by a space. Once you have the separator and position properly configured, ISE-PIC will show the correct hostname. Click submit once finished:

Screenshot 2023-12-20 at 15.56.04.png

Add a Syslog Provider

We can now proceed with configuring our provider.  Click the "Add" icon to continue:

Screenshot 2023-12-20 at 16.16.30.png

Next fill out all the fields with the appropriate information.

 

image.png

Note on Host FQDN: After locating the host from each syslog received, ISE-PIC or ISE will try to match it to one of the syslog providers in the following formats:

  1. The host FQDN: e.g., my-syslog-server.ise.local
  2. The short hostname: e.g., my-syslog-server
  3. The host IPv4 address resolved to by the host FQDN or by the short hostname: e.g., 10.0.1.200
 

Currently, the comparison is case-sensitive so that my-syslog-server.ise.local != MY-SYSLOG-SERVER.ISE.LOCAL

 

If the host not matched, the DEBUG logs an entry like this:

DEBUG ... com.cisco.idc.syslog-probe- Receive message from unkown client, Droping message. Identity Mapping.event-info = No tcp syslog client is defined for this message, Close this socket channel , Identity Mapping.probe = Syslog , Identity Mapping.server = myISE-hostname ,

New Syslog Template

Before clicking "Submit," we need to create a custom template for the body of the syslog message that will allow us to extract the identity information. To begin, click "New"

In the example syslog message above, there are three pieces of information I want to extract: The username, IP and MAC address. The template can help us do that just like it did with the customer header.  Paste your example line of syslog into the box and fill out the required fields.  We have to tell ISE-PIC what kind of mapping operation this template will be. To identify the message as a new mapping, enter the identifier (auth: in this example) in the "New Mapping" field. Next, we need to fill out the user data information so ISE-PIC can identify the IP, username and MAC address. These identifiers tell the parser the data we want immediately follows.  Lastly, we use some RegEx to extract the data. If you've configured the template correctly, the parser will correctly extract the identity information you are interested in.  Be sure to click save once finished.

Here is the RegEx I used:

IP and MAC: ([A-F0-9a-f:.]+)

Username: ([a-zA-Z0-9\_]+)

We now have our new syslog provider configured and can click "Submit."

ISE-PIC or ISE must be able to resolve the host FQDN of the syslog provider.  If it can't, you won't be able to save the new provider:

At this point, ISE-PIC or ISE is ready to accept syslog messages and extract the identity information. You can verify syslog messages are being correctly parsed by taking a look at the Live Sessions.

Lab Testing

In case our lab does not have the network service to generate the syslog events, we may test this using GNU Netcat or the like:

  • Get a Linux box as the test host and install the nc (or netcat) utility on it.
  • Create the address (A) and pointer (PTR) records of the Linux box in the DNS server(s) used by ISE or ISE-PIC.
  • Create a new syslog provider with the Linux box's info.
  • On the Linux box, issue nc commands to simulate sending syslog to ISE or ISE-PIC. For example, 
    echo 'May 19 15:14:08 EST sys_server Passed-Authentication 000011 1 0 2013-04-01 14:06:05 info ah auth: mac 1cab:a7e6:cf7f ip 10.5.50.52 username astrong' | nc -4 myISE-IPv4 11468
    where myLinuxHost is a place-holder for the hostname or the IPv4 address of the Linux test box, myISE-IPv4 is a place-holder for the ISE's IPv4 address, and 11468 is the TCP port for a syslog provider. If using UDP syslog, use '-u' and change the port number.

 

Comments
murat001
Level 4
Level 4

hi Timothy

 

Thanks to this useful docs. I want to ask you somethink about syslog parsing with PIC using 802.1x EAP FAST auth. 

 

as you know , if we are using EAP-FAST (user+machine) auth. in deployment then Username appears as user+machine. And it sends this user info as is via PxGrid to FMC

 

you think , can we send only user info to Pxgrid Subscribers using this syslog parsing method for the logs we received from MNT node?  Do you have any suggestions?

 

i encountered the below problem and bug CSCvd73842  

https://community.cisco.com/t5/firepower/fmc-ise-integration-sgt/td-p/3798067 

 

Thanks 

 

Murat

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: