Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1631
Views
0
Helpful
2
Replies

Syslog information about "Posture Event" of ISE

Go to solution
notakaha
Cisco Employee
Cisco Employee

‎02-15-2016 11:14 PM

Hi experts,

Does the syslog event of posture check(ex. failed) include "IP address"

of End device? I could find only "MAC address" and "username" to

identify the device.

Our customer would like to identify the devices which was failed posture

check from "SYSLOG".

And also,

it's very helpful if you give us the failure and success syslog sample.

Best regards,

Nobu

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-16-2016 07:28 PM

I do see ipAddress in the posture lines.

We do not have a syslog server in our ISE lab so I got the data from the local store. The first line is compliant and the second is non-compliant.

2016-02-17 03:05:01.342 +00:00 0000018643 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=107, RequestTime=1455678301338, ResponseTime=1455678301341, MacAddress=00-50-56-BD-F7-C3, OperatingSystem=Windows 7 Professional 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.2.01037, AntiVirusInstalled=ClamWin Free Antivirus\;0.98.4.1\;\;00/00/0\;, AntiSpywareInstalled=Windows Defender\;6.1.7600.16385\;1.187.2137.0\;11/13/2014\;, PostureReport=Employee WinALL\;Passed\;(Any_AV_Definition_Win:Audit:Failed:Passed_Conditions[]:Failed_Conditions[av_def_ANY]:Skipped_Conditions[]\;Any_AV_Installation_Win:Audit:Passed:Passed_Conditions[av_inst_ANY_vendor]:Failed_Conditions[]:Skipped_Conditions[]), PostureStatus=Compliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=employee1, SessionId=0A01640100000FBF4E5EECDE, UserAgreementStatus=NotEnabled, SystemName=W7PC-CORP, SystemDomain=demo.local, SystemUser=employee1, SystemUserDomain=DEMO, IpAddress=10.1.50.201,


2016-02-17 03:17:45.841 +00:00 0000018973 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=107, RequestTime=1455679065829, ResponseTime=1455679065841, MacAddress=00-50-56-BD-F7-C3, OperatingSystem=Windows 7 Professional 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.2.01037, AntiVirusInstalled=ClamWin Free Antivirus\;0.98.4.1\;\;00/00/0\;, AntiSpywareInstalled=Windows Defender\;6.1.7600.16385\;1.187.2137.0\;11/13/2014\;, PostureReport=Employee Win7\;Failed\;(Any_AV_Definition_Win:Audit:Failed:Passed_Conditions[]:Failed_Conditions[av_def_ANY]:Skipped_Conditions[]\;Any_AV_Installation_Win:Mandatory:Passed:Passed_Conditions[av_inst_ANY_vendor]:Failed_Conditions[]:Skipped_Conditions[]\;Windows_7_BitLocker_10x:Mandatory:Failed:Passed_Conditions[]:Failed_Conditions[hd_inst_BitLockerDriveEncryption_10_x]:Skipped_Conditions[hd_loc_BitLocker_10x_FullEncrypted_system_1]), PostureStatus=NonCompliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=employee1, SessionId=0A01640100000FBF4E5EECDE, UserAgreementStatus=NotEnabled, SystemName=W7PC-CORP, SystemDomain=demo.local, SystemUser=employee1, SystemUserDomain=DEMO, IpAddress=10.1.50.201,

From our old wiki, I found a syslog sample from an earlier ISE release:

(line 1) Aug  6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 0 2012-08-06 10:25:01.177 +01:00 0005085661 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=94, AntiVirusInstalled=McAfee VirusScan Enterprise\;8.8.0.777\;6789\;07/31/2012\;McAfeeAV, IpAddress=Y.Y.Y.Y, MacAddress=00-24-7E-6A-E1-AD, OperatingSystem=Windows XP Pro/Home 32-bit, PRAAction=N/A, PRAEnforcementFlag=false, PRAGraceTime=0, PRAInterval=0, PostureAgentVersion=Cisco NAC Agent for Windows 4.9.0.37,


(line 2) Aug  6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 1 PostureReport=Policy_PC_Dominio_XP\;Failed\;(WiresharPortable:Audit:Passed:Passed_Conditions[custom_wireshark_portable]:Failed_Conditions[]:Skipped_Conditions[]\;Nmap:Mandatory:Passed:Passed_Conditions[custom_Nmap]:Failed_Conditions[]:Skipped_Conditions[]\;ADUsers_McAfee_def_req:Mandatory:Failed:Passed_Conditions[av_inst_McAfeeVirusScanEnterprise_8_x]:Failed_Conditions[av_defn_McAfeeVirusScanEnterprise_8_x]:Skipped_Conditions[]\;Emule:Mandatory:Passed:Passed_Conditions[custom_emule]:Failed_Conditions[]:Skipped_Conditions[]\;Burp:Mandatory:Passed:Passed_Conditions[custom_burp]:Failed_Conditions[]:Skipped_Conditions[]\;Flash_XP:Audit:Passed:Passed_Conditions[custom_flash_xp]:Failed_Conditions[]:Skipped_Conditions[]\;ADUsers_McAfee_inst_req:Mandatory:Passed:Passed_Conditions[av_inst_McAfeeVirusScanEnterprise_8_x]:Failed_Conditions[]:Skipped_Conditions[]\;Torrent:Audit:Failed:Passed_Conditions[]:Failed_Conditions[cu


(line 3) Aug  6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 2 stom_torrent_running]:Skipped_Conditions[]\;Acrobat Reader:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_acrobat_reader]:Skipped_Conditions[]\;Winpcap:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_winpcap]:Skipped_Conditions[]\;Wireshark:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_wireshark]:Skipped_Conditions[]\;ADUsers_Safend:Mandatory:Passed:Passed_Conditions[custom_safend:custom_safend_running]:Failed_Conditions[]:Skipped_Conditions[]\;Windows_Update:Mandatory:Passed:Passed_Conditions[pc_AutoUpdateCheck]:Failed_Conditions[]:Skipped_Conditions[]\;Cain:Mandatory:Passed:Passed_Conditions[custom_cain]:Failed_Conditions[]:Skipped_Conditions[]), PostureStatus=NonCompliant, RequestTime=1344241501142, ResponseTime=1344241501177, SessionId=0A205012000000C417CA69D7, SystemDomain=domain, SystemName=pc, SystemUser=user, SystemUserDomain=domain,


(line 4) Aug  6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 3 UserAgreementStatus=NotEnabled, UserName=domain\\user,

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-16-2016 07:28 PM

I do see ipAddress in the posture lines.

We do not have a syslog server in our ISE lab so I got the data from the local store. The first line is compliant and the second is non-compliant.

2016-02-17 03:05:01.342 +00:00 0000018643 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=107, RequestTime=1455678301338, ResponseTime=1455678301341, MacAddress=00-50-56-BD-F7-C3, OperatingSystem=Windows 7 Professional 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.2.01037, AntiVirusInstalled=ClamWin Free Antivirus\;0.98.4.1\;\;00/00/0\;, AntiSpywareInstalled=Windows Defender\;6.1.7600.16385\;1.187.2137.0\;11/13/2014\;, PostureReport=Employee WinALL\;Passed\;(Any_AV_Definition_Win:Audit:Failed:Passed_Conditions[]:Failed_Conditions[av_def_ANY]:Skipped_Conditions[]\;Any_AV_Installation_Win:Audit:Passed:Passed_Conditions[av_inst_ANY_vendor]:Failed_Conditions[]:Skipped_Conditions[]), PostureStatus=Compliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=employee1, SessionId=0A01640100000FBF4E5EECDE, UserAgreementStatus=NotEnabled, SystemName=W7PC-CORP, SystemDomain=demo.local, SystemUser=employee1, SystemUserDomain=DEMO, IpAddress=10.1.50.201,


2016-02-17 03:17:45.841 +00:00 0000018973 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=107, RequestTime=1455679065829, ResponseTime=1455679065841, MacAddress=00-50-56-BD-F7-C3, OperatingSystem=Windows 7 Professional 64-bit, PostureAgentVersion=AnyConnect Posture Agent for Windows 4.2.01037, AntiVirusInstalled=ClamWin Free Antivirus\;0.98.4.1\;\;00/00/0\;, AntiSpywareInstalled=Windows Defender\;6.1.7600.16385\;1.187.2137.0\;11/13/2014\;, PostureReport=Employee Win7\;Failed\;(Any_AV_Definition_Win:Audit:Failed:Passed_Conditions[]:Failed_Conditions[av_def_ANY]:Skipped_Conditions[]\;Any_AV_Installation_Win:Mandatory:Passed:Passed_Conditions[av_inst_ANY_vendor]:Failed_Conditions[]:Skipped_Conditions[]\;Windows_7_BitLocker_10x:Mandatory:Failed:Passed_Conditions[]:Failed_Conditions[hd_inst_BitLockerDriveEncryption_10_x]:Skipped_Conditions[hd_loc_BitLocker_10x_FullEncrypted_system_1]), PostureStatus=NonCompliant, PRAEnforcementFlag=false, PRAInterval=0, PRAGraceTime=0, PRAAction=N/A, UserName=employee1, SessionId=0A01640100000FBF4E5EECDE, UserAgreementStatus=NotEnabled, SystemName=W7PC-CORP, SystemDomain=demo.local, SystemUser=employee1, SystemUserDomain=DEMO, IpAddress=10.1.50.201,

From our old wiki, I found a syslog sample from an earlier ISE release:

(line 1) Aug  6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 0 2012-08-06 10:25:01.177 +01:00 0005085661 87000 NOTICE Posture: Received a posture report from an endpoint, ConfigVersionId=94, AntiVirusInstalled=McAfee VirusScan Enterprise\;8.8.0.777\;6789\;07/31/2012\;McAfeeAV, IpAddress=Y.Y.Y.Y, MacAddress=00-24-7E-6A-E1-AD, OperatingSystem=Windows XP Pro/Home 32-bit, PRAAction=N/A, PRAEnforcementFlag=false, PRAGraceTime=0, PRAInterval=0, PostureAgentVersion=Cisco NAC Agent for Windows 4.9.0.37,


(line 2) Aug  6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 1 PostureReport=Policy_PC_Dominio_XP\;Failed\;(WiresharPortable:Audit:Passed:Passed_Conditions[custom_wireshark_portable]:Failed_Conditions[]:Skipped_Conditions[]\;Nmap:Mandatory:Passed:Passed_Conditions[custom_Nmap]:Failed_Conditions[]:Skipped_Conditions[]\;ADUsers_McAfee_def_req:Mandatory:Failed:Passed_Conditions[av_inst_McAfeeVirusScanEnterprise_8_x]:Failed_Conditions[av_defn_McAfeeVirusScanEnterprise_8_x]:Skipped_Conditions[]\;Emule:Mandatory:Passed:Passed_Conditions[custom_emule]:Failed_Conditions[]:Skipped_Conditions[]\;Burp:Mandatory:Passed:Passed_Conditions[custom_burp]:Failed_Conditions[]:Skipped_Conditions[]\;Flash_XP:Audit:Passed:Passed_Conditions[custom_flash_xp]:Failed_Conditions[]:Skipped_Conditions[]\;ADUsers_McAfee_inst_req:Mandatory:Passed:Passed_Conditions[av_inst_McAfeeVirusScanEnterprise_8_x]:Failed_Conditions[]:Skipped_Conditions[]\;Torrent:Audit:Failed:Passed_Conditions[]:Failed_Conditions[cu


(line 3) Aug  6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 2 stom_torrent_running]:Skipped_Conditions[]\;Acrobat Reader:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_acrobat_reader]:Skipped_Conditions[]\;Winpcap:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_winpcap]:Skipped_Conditions[]\;Wireshark:Audit:Failed:Passed_Conditions[]:Failed_Conditions[custom_wireshark]:Skipped_Conditions[]\;ADUsers_Safend:Mandatory:Passed:Passed_Conditions[custom_safend:custom_safend_running]:Failed_Conditions[]:Skipped_Conditions[]\;Windows_Update:Mandatory:Passed:Passed_Conditions[pc_AutoUpdateCheck]:Failed_Conditions[]:Skipped_Conditions[]\;Cain:Mandatory:Passed:Passed_Conditions[custom_cain]:Failed_Conditions[]:Skipped_Conditions[]), PostureStatus=NonCompliant, RequestTime=1344241501142, ResponseTime=1344241501177, SessionId=0A205012000000C417CA69D7, SystemDomain=domain, SystemName=pc, SystemUser=user, SystemUserDomain=domain,


(line 4) Aug  6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 3 UserAgreementStatus=NotEnabled, UserName=domain\\user,

HTH

0 Helpful

Go to solution
notakaha
Cisco Employee
Cisco Employee
In response to hslai

‎02-16-2016 09:38 PM

Thank you so much for your quick help!

It's very helpful for us.

Many thanks!

Nobu

0 Helpful
Customers Also Viewed These Support Documents