topic Re: CEF format for ISE logs in Network Access Control

CEF format for ISE logs

mstangal — Wed, 24 Jan 2018 08:44:33 GMT

Hi all,

I'm receiving this question from the customer. ArcSight is the SIEM they have to collect everything related to security.

Log export in CEF format from ISE

o We would like to collect ISE logging on the same central syslog server mentioned above. If ISE isn’t capable of exporting logs in this format:

Is it a feature on the roadmap? ISE 2.3 is not a long term support release, so we may need to upgrade it in the near future.
Can you provide some custom parser in order to analyze those logs?

Thanks a lot,

Marco

Re: CEF format for ISE logs

Jason Kunst — Wed, 24 Jan 2018 13:43:59 GMT

I am pretty sure that we cannot send in CEF format

Great information here for logging settings, remote collection points and more

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01011.html?bookSearch=true

What other logging siem have done is write their own collector to consume our syslog

Example

http://docs.splunk.com/Documentation/AddOns/released/CiscoISE/ConfigureCiscoISEsystemlogging

I would suggest reaching out to ise product management through sales channels for a feature request

Re: CEF format for ISE logs

mstangal — Wed, 24 Jan 2018 13:57:11 GMT

Hi Jason,

thanks a lot for your answer. Can you elaborate a little bit more what you are thinking about and what I could suggest to the customer? I have shared the document in attach with the customer, how this is different from the Spluk implementation?

I’m not aware of the CEF format so I don’t know why the customer is asking for that and which would be the advantages on supporting it.

Re: CEF format for ISE logs

Jason Kunst — Wed, 24 Jan 2018 14:13:24 GMT

Would recommend that the customer look into asking their siem vendor about a custom solution like splunk has done with their ISE app or Maybe a partner has a custom solution for parsing the logs

You can reach out via sales team to ISE product management and ask for a feature request as well to see if we will ever do CEF

Re: CEF format for ISE logs

mstangal — Wed, 24 Jan 2018 14:16:26 GMT

Hi Jason,

do you have a contact to get in touch with BU?

Thanks a lot,

Marco

Re: CEF format for ISE logs

Craig Hyps — Wed, 24 Jan 2018 14:29:15 GMT

As you already provided, ArcSight has ability to consume ISE syslog so not clear on requirement.

If need specific functionality from ArcSight (additional canned reports, queries, etc), then that would be request to 3rd-party vendor. If specific enhancement request for ISE, then that can be communicated to Cisco account team who can then forward to proper internal alias for ISE PM support.

Craig

Re: CEF format for ISE logs

Jason Kunst — Wed, 24 Jan 2018 18:03:29 GMT

i have our SME @john eppich working on posting a guide for ISE and arc sight, please standby

Re: CEF format for ISE logs

clive-fulton — Tue, 11 Oct 2022 08:04:56 GMT

I have been asked to provide CEF logs from ISE to MS Sentinel. We are using ISE 3.0, am I right in thinking that this is still not available ? If not, is it on the roadmap for future releases ?

Thanks

Clive

Re: CEF format for ISE logs

Greg Gibbs — Tue, 11 Oct 2022 21:27:25 GMT

There is currently no capability for ISE to send logs in CEF format and roadmap is not discussed on this public forum. You should be able to stand up a dedicated Linux log collector to collect syslog from ISE and send it to MS Sentinel as per this Microsoft document.

You can request enhancements via https://cs.co/ise-wish