cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2598
Views
2
Helpful
10
Replies

Can you assist with understanding Syslog fields?

jcresdee
Cisco Employee
Cisco Employee

Hello team,


Is it possible for you to provide a technical document that provides the technical schema and field references that is used to create our Syslog events, so syslog files can be  parsed efficiently to find specific information?


the specific logs in question are the AAA audit logs to in regards to gathering information regarding the field TLSCipher= as well as some additional fields, regarding the users which could be found by understanding the field references.

Is that something you would be able to provide?

1 Accepted Solution

Accepted Solutions

This really depends on what customers needing to capture.

As an example, ISE Passive Identity may have syslog providers (e.g. from another ISE deployment) and we may either use the pre-built templates or create our own to parse for data of interest (username, client IP, client mac, new event pattern, remove event pattern, etc.) using a regular expression.

In case that customers using Splunk, there is an add-on for ISE. See Splunk

View solution in original post

10 Replies 10

hslai
Cisco Employee
Cisco Employee

Hi,

The documents provided only show some generic syslog fields, which is why I raised this question. Our global customer is looking to understand which fields are used in the AAA audit logs, so they can parse large amounts of data. Can you please provide me with the specific field names that are used in the AAA audit log?

Hi, my customer (major global) is still waiting for a response from us and I cannot respond with generic configuration guides, can you please respond with the information requested? Many thanks.

Danny, thanks for the response, however that document doesn't provide me with the fields that are found in the AAA audit logs. The customer is question is one of our largest global customers who are now becoming frustrated that we aren't able to tell them which fields we have within our own logs. Happy to talk to you offline if that speeds things up, huge thanks.

Attached is a sample log entry, in case that is what the customer looking for.

Thanks for the log output. As you can see the log output is very busy, hence the request for the field names to be extracted, so that the customer can parse the log files and search for what they need. Is there any chance you can provide me with the requested field names that are used in the AAA logs please?

I don't need all field names for all logs, only the field names for the AAA audit log, we need to be putting our best foot forwards here as the customer is losing patience as well as faith that we know our own products and I know that isn't the case.

This really depends on what customers needing to capture.

As an example, ISE Passive Identity may have syslog providers (e.g. from another ISE deployment) and we may either use the pre-built templates or create our own to parse for data of interest (username, client IP, client mac, new event pattern, remove event pattern, etc.) using a regular expression.

In case that customers using Splunk, there is an add-on for ISE. See Splunk

All the customer needs are the specific field names that are used in the AAA Audit logs so they can parse the data, can we please get that information for them?

I would suggest us to discuss this further offline.