Solved: Re: Timestamps in logs (syslog) being sent by Cisco ISE

emc-dmcnamara · ‎07-12-2017

Software Version - Cisco ISE 2.1 Patch 1

Greetings. The Cisco ISE logs are currently only sending Month, Day and Time. Is it possible to get the Year sent as well?

May 23 13:02:57 server01 CISE_RADIUS_Accounting 0099525047 2 1 Step=11017, Step=15049, Step=15008, Step=15004, Step=11005, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, CPMSessionID=0aa2011c00069450592432fb, AllowedProtocolMatchedRule=Corp, Network Device Profile=Cisco, Model Name=5508, Software Version=7.6.100.0, Location=Location#All Locations, Device Type=Device Type#All Device Types,

As per the documentation, Year should be indicated but its not, as I only see Month and Date.

The Cisco documentation states the Msg: field should begin with the YEAR, and not the MONTH field.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_01010.html#reference_CA71B95937DB42338FAF651A1DB07851

pri_num YYYY Mmm DD hh:mm:ss xx:xx:xx:xx/host_name cat_name msg_id total_seg seg_num

hslai · ‎07-12-2017

The green text in your post is the timestamp of your syslog server.

When a syslog message segmented into pieces based on the max length setting, we will find the timestamp of the syslog originator in the first piece.

Below is a sample from my ISE 2.2 Patch 1 sending to a rsyslog server:

Jul 12 16:56:09 ISE-HOST-A CISE_Passed_Authentications 0000000001 3 0 2017-07-12 16:56:09.975 +00:00 0000146702 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=76, Device IP Address=172.23.130.170, DestinationIPAddress=172.23.112.204, DestinationPort=1812, UserName=tt01, Protocol=Radius, RequestLatency=431, NetworkDeviceName=goddard, User-Name=tt01, Service-Type=Framed, Calling-Station-ID=11:22:33:44:55:01, OriginalUserName=tt01, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, AcsSessionID=ISE-HOST-A/288738942/1, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=PermitAccess, Step=11001, Step=11017, Step=11015, Step=11117, Step=15049, Step=15008, Step=15048, Step=15006, Step=15041, Step=15006, Step=22072, Step=15013, Step=24210, Step=24212, Step=22037, Step=24423, Step=15036, Step=15048,
Jul 12 16:56:09 ISE-HOST-A CISE_Passed_Authentications 0000000001 3 1  Step=15048, Step=15004, Step=15016, Step=22081, Step=22080, Step=11002, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=All_AD_Join_Points, SelectedAuthenticationIdentityStores=Guest Users, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Telnet#Term server, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=Default134c4867-6d05-4aec-9b89-f41c73fa2a72, AuthorizationPolicyMatchedRule=Basic_Authenticated_Access, UserType=User, CPMSessionID=ac1770ccDVIDuVhc2E7iI1WLqOciI8RvGgh5fMZspJJl3cOPqU0, EndPointMACAddress=11-22-33-44-55-01, PostureAssessmentStatus=NotApplicable, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Default, IdentitySelectionMatchedRule=Default, StepData=6= Normalised Radius.RadiusFlowType (4 times), StepData=10=All_User_ID_Stores,
Jul 12 16:56:09 ISE-HOST-A CISE_Passed_Authentications 0000000001 3 2  StepData=11=Internal Users, StepData=17= EndPoints.LogicalProfile, StepData=18= Network Access.AuthenticationStatus, StepData=19=Basic_Authenticated_Access, allowEasyWiredSession=false, DTLSSupport=Unknown, Telnet=Telnet#Term server, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, EnableFlag=Enabled, Response={State=ReauthSession:ac1770ccDVIDuVhc2E7iI1WLqOciI8RvGgh5fMZspJJl3cOPqU0; class="CACS":ac1770ccDVIDuVhc2E7iI1WLqOciI8RvGgh5fMZspJJl3cOPqU0:ISE-HOST-A/288738942/1; LicenseTypes=1; },

where Jul 12 16:56:09 is the timestamp on the syslog server itself and line 1 has 2017-07-12 from ISE. In order for it to display year, then we would need to reconfigure the syslog itself to do that. For example, my rsyslog seems needing patched or ugpraded, per rsyslog - Add year to entries generated by rsyslogd - Unix & Linux Stack Exchange

View solution in original post

hslai · ‎07-12-2017

The green text in your post is the timestamp of your syslog server.

When a syslog message segmented into pieces based on the max length setting, we will find the timestamp of the syslog originator in the first piece.

Below is a sample from my ISE 2.2 Patch 1 sending to a rsyslog server:

Jul 12 16:56:09 ISE-HOST-A CISE_Passed_Authentications 0000000001 3 0 2017-07-12 16:56:09.975 +00:00 0000146702 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=76, Device IP Address=172.23.130.170, DestinationIPAddress=172.23.112.204, DestinationPort=1812, UserName=tt01, Protocol=Radius, RequestLatency=431, NetworkDeviceName=goddard, User-Name=tt01, Service-Type=Framed, Calling-Station-ID=11:22:33:44:55:01, OriginalUserName=tt01, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, AcsSessionID=ISE-HOST-A/288738942/1, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=PermitAccess, Step=11001, Step=11017, Step=11015, Step=11117, Step=15049, Step=15008, Step=15048, Step=15006, Step=15041, Step=15006, Step=22072, Step=15013, Step=24210, Step=24212, Step=22037, Step=24423, Step=15036, Step=15048,
Jul 12 16:56:09 ISE-HOST-A CISE_Passed_Authentications 0000000001 3 1  Step=15048, Step=15004, Step=15016, Step=22081, Step=22080, Step=11002, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=All_AD_Join_Points, SelectedAuthenticationIdentityStores=Guest Users, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Telnet#Term server, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=Default134c4867-6d05-4aec-9b89-f41c73fa2a72, AuthorizationPolicyMatchedRule=Basic_Authenticated_Access, UserType=User, CPMSessionID=ac1770ccDVIDuVhc2E7iI1WLqOciI8RvGgh5fMZspJJl3cOPqU0, EndPointMACAddress=11-22-33-44-55-01, PostureAssessmentStatus=NotApplicable, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Default, IdentitySelectionMatchedRule=Default, StepData=6= Normalised Radius.RadiusFlowType (4 times), StepData=10=All_User_ID_Stores,
Jul 12 16:56:09 ISE-HOST-A CISE_Passed_Authentications 0000000001 3 2  StepData=11=Internal Users, StepData=17= EndPoints.LogicalProfile, StepData=18= Network Access.AuthenticationStatus, StepData=19=Basic_Authenticated_Access, allowEasyWiredSession=false, DTLSSupport=Unknown, Telnet=Telnet#Term server, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, EnableFlag=Enabled, Response={State=ReauthSession:ac1770ccDVIDuVhc2E7iI1WLqOciI8RvGgh5fMZspJJl3cOPqU0; class="CACS":ac1770ccDVIDuVhc2E7iI1WLqOciI8RvGgh5fMZspJJl3cOPqU0:ISE-HOST-A/288738942/1; LicenseTypes=1; },

where Jul 12 16:56:09 is the timestamp on the syslog server itself and line 1 has 2017-07-12 from ISE. In order for it to display year, then we would need to reconfigure the syslog itself to do that. For example, my rsyslog seems needing patched or ugpraded, per rsyslog - Add year to entries generated by rsyslogd - Unix & Linux Stack Exchange