Greetings experts,
I am working with a customer where they are using ISE for TACACS (ISE 2.4) and sending TACACS Syslog to an external Syslog server. The customer would like to get some official doc or something from Cisco about these TACACS Syslog messages
DestinationIPAddress----------(This IP address is TACACS server, however, external Syslog server vendor interprets this field differently)
Remote-Address------------(The IP of endpoint and tried to log in to a switch/routers for TACACS authentication)
Device IP Address----------(This IP is of NAD i.e TACACS client)
|
Raw log data sent by ISE TACACS
|
Description of what the data is
|
Confusion in Naming
|
|
Device IP Address = 192.168.x.x
|
The device being impacted, the device that sent the log in the first place, the destination of the logon/attack
|
DESTINATION HOST – need this clearly stated somewhere by Cisco
|
|
DestinationIPAddress = 10.1.x.x
|
The log forwarder, the “management station”, this is the ISE Server
|
Why is the word “Destination” used when this is the management station/ISE
|
|
Remote-Address = 192.168.x.x
|
The host from which the logon was attempted, the actual attacker
|
SOURCE HOST – the host where the logon came from, not a “remote address”
|
The difference how ISE looks remote-address is different what the customer Syslog server wanted to expect, hence we need some explanation on these parameters.
I found this link but this does not have an explanation
https://community.cisco.com/t5/identity-services-engine-ise/ise-and-complete-syslog-message-list-for-clever-event-management/td-p/3733218
Regards,
Chandan
Any help on this would be much appreciated.
