cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

317
Views
0
Helpful
2
Replies
Highlighted

Splunk for Cisco Identity Services (ISE)

Hi Team,

 

We also had installed Cisco ISE add-on on our Heavy Forwarder earlier and getting ISE events in proper format.

 

We are using Splunk SIEM tool and recently installed Cisco ISE App on Splunk Search Head and Indexers for visualizing pre-defined dashboard.

 

PFB link for reference:

Download Splunk for Cisco Identity Services (ISE)

https://splunkbase.splunk.com/app/1589/

Download Splunk Add-on for Cisco Identity Services

https://splunkbase.splunk.com/app/1915/

 

The moment we installed Cisco ISE app on Splunk search head and indexers, Splunk started to reject all the events due to below error:

10-21-2019 17:05:13.814 +0000 ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "/opt/splunk/etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml": No such file or directory - data_source="/logdata01/logs/cisco/ise/isesvr01/2019-10-21-cisco-ise.log", data_host="isesvr01", data_sourcetype="cisco:ise:syslog"

Also we tried to find the solution for above error with following link:
https://answers.splunk.com/answers/526680/splunk-ise-ta-fails-when-distributed-via-cluster-m.html

But it is yet to answer of this question on Splunk answer support.

Then I had a word with Splunk support team and when they looked at this app config. They could have fixed it but they were not sure after fixing this issue, it won't create more problems. Since it was production environment, we simply uninstalled this app.

 

Did anyone face this issue in your environment?

 

Thanks in advance.

 

Regards,

Tejas

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Splunk for Cisco Identity Services (ISE)

Hey Tejas,

 

I haven't, please email me, I would like to setup a Webex to discuss your issues.

 

Thanks,

John

jeppich@cisco.com

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: Splunk for Cisco Identity Services (ISE)

I have not worked on this. However...

     Install an add-on in a distributed Splunk Enterprise deployment    shows to use $SPLUNK_HOME. If that does not work, then this seems some limitation in Splunk clustering environment and would need Splunk to enhance it.

Highlighted
Cisco Employee

Re: Splunk for Cisco Identity Services (ISE)

Hey Tejas,

 

I haven't, please email me, I would like to setup a Webex to discuss your issues.

 

Thanks,

John

jeppich@cisco.com

View solution in original post