Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
204
Views
1
Helpful
3
Replies

Cisco ISE System 360 Log Analytics - Ingest External Logs

Go to solution
JaseNL
Level 1
Level 1

‎06-20-2025 07:51 AM - edited ‎06-20-2025 07:55 AM

Hi

I have developed an extension application for Cisco ISE and I have been asked to send the logs from this to the ISE System 360 Log Analytics so that a Kibana dashboard can be created for it. I have configured my application to send logs to a UDP syslog remote logging target configured in Administration / Logging / Remote Logging Targets as directed by the ISE admins, and I can see Logging Categories also under Administration / Logging which map to logging targets. But I can't see how any of these relate to the configuration possibilities for ingest pipelines under Operations / System 360 / Log Analytics. In fact, creating a new pipeline, of the processors it's possible to add to a pipeline, they all seem to be filters, there is no input and no output. Presumably that's because Cisco have restricted the input and output options. So my questions are:

1. How can I check how far up the ELK stack my logs are getting (presumably they won't get into ElasticSearch without an index but I can't see how to create one of those either)

2. I can see a Create Index Pattern under Operations / System 360 / Log Analytics -> Kibana / Index Patterns, but they relate to existing indexes ... How I can create a new one?

3. Is there anything else I need to do to make this work?

Once I get the log data into ElasticSearch I'm confident I can search it in Kibana. I just have the feeling that either I've completely misunderstood the integration between the ELK stack and Cisco ISE, or that what I want to do is just not possible.

Any pointers would be gratefully received ...

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Enes Simnica
Level 1
Level 1

‎06-20-2025 08:36 AM

helloG. To verify log propagation, check Operations > System 360 > Log Analytics > Real-Time Logs for your application logs. Successful ingestion should make them visible in Kibana's existing index patterns. Note that ISE automatically manages index creation via ingest pipelines rather than manual configuration.

Also for sure, for ur custom logs, ensure they're properly formatted (preferably JSON) and that your ingest pipeline includes the appropriate processors (grok for unstructured data, json for structured). The logging category in Administration > Logging should correctly map to your remote logging target.

now If logs aren't appearing, consider these troubleshooting steps:

  1. Verify log format matches pipeline processors
  2. Test with the Simulate Pipeline feature if available
  3. Confirm proper permissions for log ingestion

For further assistance would be good to shaare a sample log entry, ise verstion and why not ur pipeline config....

hope it helps g.../

 

-Enes

more Cisco?!
more Gym?!

View solution in original post

3 Replies 3

Go to solution
Enes Simnica
Level 1
Level 1

‎06-20-2025 08:36 AM

helloG. To verify log propagation, check Operations > System 360 > Log Analytics > Real-Time Logs for your application logs. Successful ingestion should make them visible in Kibana's existing index patterns. Note that ISE automatically manages index creation via ingest pipelines rather than manual configuration.

Also for sure, for ur custom logs, ensure they're properly formatted (preferably JSON) and that your ingest pipeline includes the appropriate processors (grok for unstructured data, json for structured). The logging category in Administration > Logging should correctly map to your remote logging target.

now If logs aren't appearing, consider these troubleshooting steps:

  1. Verify log format matches pipeline processors
  2. Test with the Simulate Pipeline feature if available
  3. Confirm proper permissions for log ingestion

For further assistance would be good to shaare a sample log entry, ise verstion and why not ur pipeline config....

hope it helps g.../

 

-Enes

more Cisco?!
more Gym?!

Go to solution
JaseNL
Level 1
Level 1

‎06-20-2025 10:11 AM - edited ‎06-21-2025 01:46 AM

Hi Enes

Thanks for your reply. I'll try your suggestions on Monday and report back ...

0 Helpful

Go to solution
JaseNL
Level 1
Level 1

‎06-24-2025 03:00 AM

Hi Enes

It seems System 360 is broken on our lab ISE instance. I also can't see the Real-Time Logs link you mentioned under Log Analytics (we're using 3.2.0.401). So I'm going to have the whole instance rebuilt and then have another go. Hopefully your suggestions will help me once I have a reliable ISE instance to test with.

Thanks again

Jason

0 Helpful
Customers Also Viewed These Support Documents