https://community.cisco.com/t5/network-access-control/onboarding-cisco-ise-onto-qradar-7-4-0-fp3-issues-encountered/m-p/4173510#M563517 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>We are a Managed Security Services company trying to onboard a customer's Cisco ISE device onto&nbsp;QRadar 7.4.0 FP3.</P><P>- The logs are landing at the QRadar event collector.</P><P>- They are arriving as UDP multiline, which is what QRadar expects.</P><P>&nbsp;</P><P>ISSUE: However, the <A href="https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_Cisco_ISE_overview.html" target="_self">DSM guide</A> produced by IBM seems to deal with the older versions of QRadar, hence the log source settings are a little different. I need your guidance on onboarding it to&nbsp;QRadar 7.4.0 FP3.</P><P>&nbsp;</P><P>Here are variations/differences/gaps from the DSM guide which we saw:</P><P>&nbsp;</P><P>1. As seen in screenshot # 1 below, the field Source Name Formatting String is mandatory when you create the log source. However, that field wasn't present in the previous QRadar versions. What value should be put there?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE2.png" style="width: 585px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86898iFCC6C9E3DF4916B2/image-size/large?v=v2&amp;px=999" role="button" title="ISE2.png" alt="ISE2.png" /></span></P><P>&nbsp;</P><P>2. As seen in screenshot # 2 below, when you enable Show Advanced Options, some more options show up. What should be enabled in the advanced settings?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE1.png" style="width: 585px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86899i5C38C3145A91D9DB/image-size/large?v=v2&amp;px=999" role="button" title="ISE1.png" alt="ISE1.png" /></span></P><P>&nbsp;</P><P>3. As seen in screenshot # 3 below, we have selected the Protocol Type as UDP Multiline Syslog (instead of Syslog). Would the QRadar DSM automatically re-assemble the log messages coming over multiple packets? If we select the Protocol Type as Syslog, then the first message gets parsed but the remaining ones are not re-assembled. In any case, the recommended option in the DSM guide is UDP Multiline Syslog, which is not working.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE3.png" style="width: 590px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86895iE1492CF80D2A5CC4/image-size/large?v=v2&amp;px=999" role="button" title="ISE3.png" alt="ISE3.png" /></span></P><P>&nbsp;</P><P>I would appreciate some help on the same. Apart from the highlighted, the only difference is that we are sending it to a non-default port at the event collector (527 instead of 517).</P><P>&nbsp;</P><P>Best,</P><P>Pukhraj</P> Mon, 26 Oct 2020 09:13:50 GMT Singh94100 2020-10-26T09:13:50Z https://community.cisco.com/t5/network-access-control/onboarding-cisco-ise-onto-qradar-7-4-0-fp3-issues-encountered/m-p/4173510#M563517 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>We are a Managed Security Services company trying to onboard a customer's Cisco ISE device onto&nbsp;QRadar 7.4.0 FP3.</P><P>- The logs are landing at the QRadar event collector.</P><P>- They are arriving as UDP multiline, which is what QRadar expects.</P><P>&nbsp;</P><P>ISSUE: However, the <A href="https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_Cisco_ISE_overview.html" target="_self">DSM guide</A> produced by IBM seems to deal with the older versions of QRadar, hence the log source settings are a little different. I need your guidance on onboarding it to&nbsp;QRadar 7.4.0 FP3.</P><P>&nbsp;</P><P>Here are variations/differences/gaps from the DSM guide which we saw:</P><P>&nbsp;</P><P>1. As seen in screenshot # 1 below, the field Source Name Formatting String is mandatory when you create the log source. However, that field wasn't present in the previous QRadar versions. What value should be put there?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE2.png" style="width: 585px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86898iFCC6C9E3DF4916B2/image-size/large?v=v2&amp;px=999" role="button" title="ISE2.png" alt="ISE2.png" /></span></P><P>&nbsp;</P><P>2. As seen in screenshot # 2 below, when you enable Show Advanced Options, some more options show up. What should be enabled in the advanced settings?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE1.png" style="width: 585px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86899i5C38C3145A91D9DB/image-size/large?v=v2&amp;px=999" role="button" title="ISE1.png" alt="ISE1.png" /></span></P><P>&nbsp;</P><P>3. As seen in screenshot # 3 below, we have selected the Protocol Type as UDP Multiline Syslog (instead of Syslog). Would the QRadar DSM automatically re-assemble the log messages coming over multiple packets? If we select the Protocol Type as Syslog, then the first message gets parsed but the remaining ones are not re-assembled. In any case, the recommended option in the DSM guide is UDP Multiline Syslog, which is not working.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE3.png" style="width: 590px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86895iE1492CF80D2A5CC4/image-size/large?v=v2&amp;px=999" role="button" title="ISE3.png" alt="ISE3.png" /></span></P><P>&nbsp;</P><P>I would appreciate some help on the same. Apart from the highlighted, the only difference is that we are sending it to a non-default port at the event collector (527 instead of 517).</P><P>&nbsp;</P><P>Best,</P><P>Pukhraj</P> Mon, 26 Oct 2020 09:13:50 GMT https://community.cisco.com/t5/network-access-control/onboarding-cisco-ise-onto-qradar-7-4-0-fp3-issues-encountered/m-p/4173510#M563517 Singh94100 2020-10-26T09:13:50Z https://community.cisco.com/t5/network-access-control/onboarding-cisco-ise-onto-qradar-7-4-0-fp3-issues-encountered/m-p/4173734#M563522 <P>I'd recommend opening a ticket with support team.</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216120-ise-security-ecosystem-integration-guide.html#anc49" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216120-ise-security-ecosystem-integration-guide.html#anc49</A></P><P>its under the troubleshooting guide</P><P><A href="https://community.cisco.com/t5/security-documents/ibm-qradar-pxgrid-app-troubleshooting/ta-p/3891487" target="_blank">https://community.cisco.com/t5/security-documents/ibm-qradar-pxgrid-app-troubleshooting/ta-p/3891487</A></P> Mon, 26 Oct 2020 15:11:31 GMT https://community.cisco.com/t5/network-access-control/onboarding-cisco-ise-onto-qradar-7-4-0-fp3-issues-encountered/m-p/4173734#M563522 Jason Kunst 2020-10-26T15:11:31Z https://community.cisco.com/t5/network-access-control/onboarding-cisco-ise-onto-qradar-7-4-0-fp3-issues-encountered/m-p/4304216#M565991 <P>Hi could please give the solution details? I've the same problem here.</P> Tue, 09 Mar 2021 19:54:05 GMT https://community.cisco.com/t5/network-access-control/onboarding-cisco-ise-onto-qradar-7-4-0-fp3-issues-encountered/m-p/4304216#M565991 Wanderley Viana 2021-03-09T19:54:05Z https://community.cisco.com/t5/network-access-control/onboarding-cisco-ise-onto-qradar-7-4-0-fp3-issues-encountered/m-p/4305057#M566019 <P>Please look at the latest qRadar guides under <A href="http://cs.co/ise-guides" target="_blank">http://cs.co/ise-guides</A>&nbsp;if you're still having issues open a support ticket.&nbsp;</P> <P>&nbsp;</P> <P>Also this seems it might be a QRadar issue and nothing to do with the ISE QRadar app. I'd recommend a ticket with IBM.</P> <P>&nbsp;</P> <P>Please do share what you get so we can update guides</P> Wed, 10 Mar 2021 16:56:22 GMT https://community.cisco.com/t5/network-access-control/onboarding-cisco-ise-onto-qradar-7-4-0-fp3-issues-encountered/m-p/4305057#M566019 Jason Kunst 2021-03-10T16:56:22Z