Solved: Cisco ISE syslog message for 87004 NOTICE Posture: Posture service received a USB-check report from ...

kylerossd · ‎07-10-2020

Hello,

Does anyone have an example of a Cisco ISE syslog for this event? I have the description of what this would look like but I need to know what the <log details> looks like.

Message Code: 87004

Severity: NOTICE

Message Text: Posture service received a USB-check report from an endpoint

Message Description: Received a USB-check report message from an endpoint

Local Target Message Format: <timestamp> <seq_num> 87004 NOTICE Posture: Posture service received a USB-check report from an endpoint, <log details>

Remote Target Message Format: <pri_num> <timestamp> <IP address/hostname> <CISE_logging category> <msg_id> <total seg> <seg num><timestamp> <seq_num> 87004 NOTICE Posture: Posture service received a USB-check report from an endpoint, <log details>

Any insights are greatly appreciated

kylerossd · ‎07-17-2020

Yes, I ended up standing up a test and configuring posture for USB Check. If anyone else is interested here it is:

CISE_Posture_and_Client_Provisioning_Audit 0000000002 2 0 2020-07-11 22:59:46.379 -04:00 0000005801 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=77, NetworkDeviceGroups=Location#All Locations, RequestTime=1594522785899, ResponseTime=1594522786378, MacAddress=84-7B-EB-57-20-0E, OperatingSystem=Windows 10 Home 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.9.00086, PostureReport=Default_USB_Block_Policy_Win\;Failed\;(USB_Block:Mandatory:Failed:Passed_Conditions[]:Failed_Conditions[USB_Check]:Skipped_Conditions[]), PostureStatus=NonCompliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=kyle, SessionId=C0A802090000001B05A91D7A, UserAgreementStatus=NotEnabled, SystemName=DESKTOP-9G5A787, SystemDomain=n/a, SystemUser=Kyle, SystemUserDomain=DESKTOP-9G5A787, IpAddress=192.168.2.135, AMInstalled=Windows Defender\;4.18.2006.10\;1.319.1241.0\;07/11/2020\;,

View solution in original post

hslai · ‎07-11-2020

If you have access to an ISE deployment to test this, you may check the local logs on the PSN by CLI

 show logging application localStore/iseLocalStore.log tail

I tried to simulate it using a Windows Client on VMware but I was only able to generate regular posture events but not this specific one on USB-check.

kylerossd · ‎07-17-2020

Yes, I ended up standing up a test and configuring posture for USB Check. If anyone else is interested here it is:

CISE_Posture_and_Client_Provisioning_Audit 0000000002 2 0 2020-07-11 22:59:46.379 -04:00 0000005801 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=77, NetworkDeviceGroups=Location#All Locations, RequestTime=1594522785899, ResponseTime=1594522786378, MacAddress=84-7B-EB-57-20-0E, OperatingSystem=Windows 10 Home 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.9.00086, PostureReport=Default_USB_Block_Policy_Win\;Failed\;(USB_Block:Mandatory:Failed:Passed_Conditions[]:Failed_Conditions[USB_Check]:Skipped_Conditions[]), PostureStatus=NonCompliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=kyle, SessionId=C0A802090000001B05A91D7A, UserAgreementStatus=NotEnabled, SystemName=DESKTOP-9G5A787, SystemDomain=n/a, SystemUser=Kyle, SystemUserDomain=DESKTOP-9G5A787, IpAddress=192.168.2.135, AMInstalled=Windows Defender\;4.18.2006.10\;1.319.1241.0\;07/11/2020\;,

Cisco ISE syslog message for 87004 NOTICE Posture: Posture service received a USB-check report from an endpoint