02-15-2016 11:14 PM
Hi experts,
Does the syslog event of posture check(ex. failed) include "IP address"
of End device? I could find only "MAC address" and "username" to
identify the device.
Our customer would like to identify the devices which was failed posture
check from "SYSLOG".
And also,
it's very helpful if you give us the failure and success syslog sample.
Best regards,
Nobu
Solved! Go to Solution.
02-16-2016 07:28 PM
I do see ipAddress in the posture lines.
We do not have a syslog server in our ISE lab so I got the data from the local store. The first line is compliant and the second is non-compliant.
2016-02-17 03:05:01.342 +00:00 0000018643 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=107, RequestTime=1455678301338, ResponseTime=1455678301341, MacAddress=00-50-56-BD-F7-C3, OperatingSystem=Windows 7 Professional 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.2.01037, AntiVirusInstalled=ClamWin Free Antivirus\;0.98.4.1\;\;00/00/0\;, AntiSpywareInstalled=Windows Defender\;6.1.7600.16385\;1.187.2137.0\;11/13/2014\;, PostureReport=Employee WinALL\;Passed\;(Any_AV_Definition_Win:Audit:Failed:Passed_Conditions[]:Failed_Conditions[av_def_ANY]:Skipped_Conditions[]\;Any_AV_Installation_Win:Audit:Passed:Passed_Conditions[av_inst_ANY_vendor]:Failed_Conditions[]:Skipped_Conditions[]), PostureStatus=Compliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=employee1, SessionId=0A01640100000FBF4E5EECDE, UserAgreementStatus=NotEnabled, SystemName=W7PC-CORP, SystemDomain=demo.local, SystemUser=employee1, SystemUserDomain=DEMO, IpAddress=10.1.50.201,
2016-02-17 03:17:45.841 +00:00 0000018973 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=107, RequestTime=1455679065829, ResponseTime=1455679065841, MacAddress=00-50-56-BD-F7-C3, OperatingSystem=Windows 7 Professional 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.2.01037, AntiVirusInstalled=ClamWin Free Antivirus\;0.98.4.1\;\;00/00/0\;, AntiSpywareInstalled=Windows Defender\;6.1.7600.16385\;1.187.2137.0\;11/13/2014\;, PostureReport=Employee Win7\;Failed\;(Any_AV_Definition_Win:Audit:Failed:Passed_Conditions[]:Failed_Conditions[av_def_ANY]:Skipped_Conditions[]\;Any_AV_Installation_Win:Mandatory:Passed:Passed_Conditions[av_inst_ANY_vendor]:Failed_Conditions[]:Skipped_Conditions[]\;Windows_7_BitLocker_10x:Mandatory:Failed:Passed_Conditions[]:Failed_Conditions[hd_inst_BitLockerDriveEncryption_10_x]:Skipped_Conditions[hd_loc_BitLocker_10x_FullEncrypted_system_1]), PostureStatus=NonCompliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=employee1, SessionId=0A01640100000FBF4E5EECDE, UserAgreementStatus=NotEnabled, SystemName=W7PC-CORP, SystemDomain=demo.local, SystemUser=employee1, SystemUserDomain=DEMO, IpAddress=10.1.50.201,
From our old wiki, I found a syslog sample from an earlier ISE release:
(line 1) Aug 6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 0 2012-08-06 10:25:01.177 +01:00 0005085661 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=94, AntiVirusInstalled=McAfee VirusScan Enterprise\;8.8.0.777\;6789\;07/31/2012\;McAfeeAV, IpAddress=Y.Y.Y.Y, MacAddress=00-24-7E-6A-E1-AD, OperatingSystem=Windows XP Pro/Home 32-bit, PRAAction=N/A, PRAEnforcementFlag=false, PRAGraceTime=0, PRAInterval=0, PostureAgentVersion=Cisco NAC Agent for Windows 4.9.0.37,
(line 2) Aug 6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 1 PostureReport=Policy_PC_Dominio_XP\;Failed\;(WiresharPortable:Audit:Passed:Passed_Conditions[custom_wireshark_portable]:Failed_Conditions[]:Skipped_Conditions[]\;Nmap:Mandatory:Passed:Passed_Conditions[custom_Nmap]:Failed_Conditions[]:Skipped_Conditions[]\;ADUsers_McAfee_def_req:Mandatory:Failed:Passed_Conditions[av_inst_McAfeeVirusScanEnterprise_8_x]:Failed_Conditions[av_defn_McAfeeVirusScanEnterprise_8_x]:Skipped_Conditions[]\;Emule:Mandatory:Passed:Passed_Conditions[custom_emule]:Failed_Conditions[]:Skipped_Conditions[]\;Burp:Mandatory:Passed:Passed_Conditions[custom_burp]:Failed_Conditions[]:Skipped_Conditions[]\;Flash_XP:Audit:Passed:Passed_Conditions[custom_flash_xp]:Failed_Conditions[]:Skipped_Conditions[]\;ADUsers_McAfee_inst_req:Mandatory:Passed:Passed_Conditions[av_inst_McAfeeVirusScanEnterprise_8_x]:Failed_Conditions[]:Skipped_Conditions[]\;Torrent:Audit:Failed:Passed_Conditions[]:Failed_Conditions[cu
(line 3) Aug 6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 2 stom_torrent_running]:Skipped_Conditions[]\;Acrobat Reader:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_acrobat_reader]:Skipped_Conditions[]\;Winpcap:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_winpcap]:Skipped_Conditions[]\;Wireshark:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_wireshark]:Skipped_Conditions[]\;ADUsers_Safend:Mandatory:Passed:Passed_Conditions[custom_safend:custom_safend_running]:Failed_Conditions[]:Skipped_Conditions[]\;Windows_Update:Mandatory:Passed:Passed_Conditions[pc_AutoUpdateCheck]:Failed_Conditions[]:Skipped_Conditions[]\;Cain:Mandatory:Passed:Passed_Conditions[custom_cain]:Failed_Conditions[]:Skipped_Conditions[]), PostureStatus=NonCompliant, RequestTime=1344241501142, ResponseTime=1344241501177, SessionId=0A205012000000C417CA69D7, SystemDomain=domain, SystemName=pc, SystemUser=user, SystemUserDomain=domain,
(line 4) Aug 6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 3 UserAgreementStatus=NotEnabled, UserName=domain\\user,
HTH
02-16-2016 07:28 PM
I do see ipAddress in the posture lines.
We do not have a syslog server in our ISE lab so I got the data from the local store. The first line is compliant and the second is non-compliant.
2016-02-17 03:05:01.342 +00:00 0000018643 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=107, RequestTime=1455678301338, ResponseTime=1455678301341, MacAddress=00-50-56-BD-F7-C3, OperatingSystem=Windows 7 Professional 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.2.01037, AntiVirusInstalled=ClamWin Free Antivirus\;0.98.4.1\;\;00/00/0\;, AntiSpywareInstalled=Windows Defender\;6.1.7600.16385\;1.187.2137.0\;11/13/2014\;, PostureReport=Employee WinALL\;Passed\;(Any_AV_Definition_Win:Audit:Failed:Passed_Conditions[]:Failed_Conditions[av_def_ANY]:Skipped_Conditions[]\;Any_AV_Installation_Win:Audit:Passed:Passed_Conditions[av_inst_ANY_vendor]:Failed_Conditions[]:Skipped_Conditions[]), PostureStatus=Compliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=employee1, SessionId=0A01640100000FBF4E5EECDE, UserAgreementStatus=NotEnabled, SystemName=W7PC-CORP, SystemDomain=demo.local, SystemUser=employee1, SystemUserDomain=DEMO, IpAddress=10.1.50.201,
2016-02-17 03:17:45.841 +00:00 0000018973 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=107, RequestTime=1455679065829, ResponseTime=1455679065841, MacAddress=00-50-56-BD-F7-C3, OperatingSystem=Windows 7 Professional 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.2.01037, AntiVirusInstalled=ClamWin Free Antivirus\;0.98.4.1\;\;00/00/0\;, AntiSpywareInstalled=Windows Defender\;6.1.7600.16385\;1.187.2137.0\;11/13/2014\;, PostureReport=Employee Win7\;Failed\;(Any_AV_Definition_Win:Audit:Failed:Passed_Conditions[]:Failed_Conditions[av_def_ANY]:Skipped_Conditions[]\;Any_AV_Installation_Win:Mandatory:Passed:Passed_Conditions[av_inst_ANY_vendor]:Failed_Conditions[]:Skipped_Conditions[]\;Windows_7_BitLocker_10x:Mandatory:Failed:Passed_Conditions[]:Failed_Conditions[hd_inst_BitLockerDriveEncryption_10_x]:Skipped_Conditions[hd_loc_BitLocker_10x_FullEncrypted_system_1]), PostureStatus=NonCompliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=employee1, SessionId=0A01640100000FBF4E5EECDE, UserAgreementStatus=NotEnabled, SystemName=W7PC-CORP, SystemDomain=demo.local, SystemUser=employee1, SystemUserDomain=DEMO, IpAddress=10.1.50.201,
From our old wiki, I found a syslog sample from an earlier ISE release:
(line 1) Aug 6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 0 2012-08-06 10:25:01.177 +01:00 0005085661 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=94, AntiVirusInstalled=McAfee VirusScan Enterprise\;8.8.0.777\;6789\;07/31/2012\;McAfeeAV, IpAddress=Y.Y.Y.Y, MacAddress=00-24-7E-6A-E1-AD, OperatingSystem=Windows XP Pro/Home 32-bit, PRAAction=N/A, PRAEnforcementFlag=false, PRAGraceTime=0, PRAInterval=0, PostureAgentVersion=Cisco NAC Agent for Windows 4.9.0.37,
(line 2) Aug 6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 1 PostureReport=Policy_PC_Dominio_XP\;Failed\;(WiresharPortable:Audit:Passed:Passed_Conditions[custom_wireshark_portable]:Failed_Conditions[]:Skipped_Conditions[]\;Nmap:Mandatory:Passed:Passed_Conditions[custom_Nmap]:Failed_Conditions[]:Skipped_Conditions[]\;ADUsers_McAfee_def_req:Mandatory:Failed:Passed_Conditions[av_inst_McAfeeVirusScanEnterprise_8_x]:Failed_Conditions[av_defn_McAfeeVirusScanEnterprise_8_x]:Skipped_Conditions[]\;Emule:Mandatory:Passed:Passed_Conditions[custom_emule]:Failed_Conditions[]:Skipped_Conditions[]\;Burp:Mandatory:Passed:Passed_Conditions[custom_burp]:Failed_Conditions[]:Skipped_Conditions[]\;Flash_XP:Audit:Passed:Passed_Conditions[custom_flash_xp]:Failed_Conditions[]:Skipped_Conditions[]\;ADUsers_McAfee_inst_req:Mandatory:Passed:Passed_Conditions[av_inst_McAfeeVirusScanEnterprise_8_x]:Failed_Conditions[]:Skipped_Conditions[]\;Torrent:Audit:Failed:Passed_Conditions[]:Failed_Conditions[cu
(line 3) Aug 6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 2 stom_torrent_running]:Skipped_Conditions[]\;Acrobat Reader:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_acrobat_reader]:Skipped_Conditions[]\;Winpcap:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_winpcap]:Skipped_Conditions[]\;Wireshark:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_wireshark]:Skipped_Conditions[]\;ADUsers_Safend:Mandatory:Passed:Passed_Conditions[custom_safend:custom_safend_running]:Failed_Conditions[]:Skipped_Conditions[]\;Windows_Update:Mandatory:Passed:Passed_Conditions[pc_AutoUpdateCheck]:Failed_Conditions[]:Skipped_Conditions[]\;Cain:Mandatory:Passed:Passed_Conditions[custom_cain]:Failed_Conditions[]:Skipped_Conditions[]), PostureStatus=NonCompliant, RequestTime=1344241501142, ResponseTime=1344241501177, SessionId=0A205012000000C417CA69D7, SystemDomain=domain, SystemName=pc, SystemUser=user, SystemUserDomain=domain,
(line 4) Aug 6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 3 UserAgreementStatus=NotEnabled, UserName=domain\\user,
HTH
02-16-2016 09:38 PM
Thank you so much for your quick help!
It's very helpful for us.
Many thanks!
Nobu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide