Solved: Re: CEF format for ISE logs

mstangal · ‎01-24-2018

Hi all,

I'm receiving this question from the customer. ArcSight is the SIEM they have to collect everything related to security.

Log export in CEF format from ISE

o We would like to collect ISE logging on the same central syslog server mentioned above. If ISE isn’t capable of exporting logs in this format:

Is it a feature on the roadmap? ISE 2.3 is not a long term support release, so we may need to upgrade it in the near future.
Can you provide some custom parser in order to analyze those logs?

Thanks a lot,

Marco

Jason Kunst · ‎01-24-2018

I am pretty sure that we cannot send in CEF format

Great information here for logging settings, remote collection points and more

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01011.html?bookSearch=true

What other logging siem have done is write their own collector to consume our syslog

Example

http://docs.splunk.com/Documentation/AddOns/released/CiscoISE/ConfigureCiscoISEsystemlogging

I would suggest reaching out to ise product management through sales channels for a feature request

View solution in original post

Jason Kunst · ‎01-24-2018

I am pretty sure that we cannot send in CEF format

Great information here for logging settings, remote collection points and more

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01011.html?bookSearch=true

What other logging siem have done is write their own collector to consume our syslog

Example

http://docs.splunk.com/Documentation/AddOns/released/CiscoISE/ConfigureCiscoISEsystemlogging

I would suggest reaching out to ise product management through sales channels for a feature request

mstangal · ‎01-24-2018

Hi Jason,

thanks a lot for your answer. Can you elaborate a little bit more what you are thinking about and what I could suggest to the customer? I have shared the document in attach with the customer, how this is different from the Spluk implementation?

I’m not aware of the CEF format so I don’t know why the customer is asking for that and which would be the advantages on supporting it.

Jason Kunst · ‎01-24-2018

Would recommend that the customer look into asking their siem vendor about a custom solution like splunk has done with their ISE app or Maybe a partner has a custom solution for parsing the logs

You can reach out via sales team to ISE product management and ask for a feature request as well to see if we will ever do CEF

mstangal · ‎01-24-2018

Hi Jason,

do you have a contact to get in touch with BU?

Thanks a lot,

Marco

Craig Hyps · ‎01-24-2018

As you already provided, ArcSight has ability to consume ISE syslog so not clear on requirement.

If need specific functionality from ArcSight (additional canned reports, queries, etc), then that would be request to 3rd-party vendor. If specific enhancement request for ISE, then that can be communicated to Cisco account team who can then forward to proper internal alias for ISE PM support.

Craig

Jason Kunst · ‎01-24-2018

i have our SME @john eppich working on posting a guide for ISE and arc sight, please standby

clive-fulton · ‎10-11-2022

I have been asked to provide CEF logs from ISE to MS Sentinel. We are using ISE 3.0, am I right in thinking that this is still not available ? If not, is it on the roadmap for future releases ?

Thanks

Clive

Greg Gibbs · ‎10-11-2022

There is currently no capability for ISE to send logs in CEF format and roadmap is not discussed on this public forum. You should be able to stand up a dedicated Linux log collector to collect syslog from ISE and send it to MS Sentinel as per this Microsoft document.

You can request enhancements via https://cs.co/ise-wish