Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2893
Views
0
Helpful
6
Replies

Syslog templates

Go to solution
wmccarty
Level 1
Level 1

‎11-04-2016 07:45 AM - edited ‎02-21-2020 10:31 AM

I was looking at the syslog template for Infoblox and noticed there is no user data field for the "hostname".

Can this be added?  The hostname in the dhcp log has proven very useful for us in the past in tracking down users.

and I would love to see this populated into stealthwatch.

wendell

Labels:
Preview file
233 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee

‎11-07-2016 05:37 AM

I'm very interested in your request, and would love it if you could you elaborate more.

In the meantime, let me outline what our goals were/are in the ISE 2.2 release:  I beleive you already understand the goal is to share identities from ISE (passive or active), and passive identities only with ISE-PIC.  That means the username and ip address are the key items to share, but also reaching into the ID Source and grabbing other important attributes like UPN, Group Membership, GUID, etc.

Syslog sources are there to provide those username & IP-Mappings.  IP address management (IPAM) syslogs are a little special.  We use the IPAM syslogs to learn MAC addresses for L2/L3 binding.  We also use it to ensure fidelity of the information in the session directory.  If a DHCP lease has expired, clean up the session. If the IP Address is assigned to a new host, clean up the session, etc. etc.

The only information from a Syslog that gets merged into the pxGrid topic that SteathWatch is consuming is the username, mac address & ip address. Hostname was never one of the items identified for passive ID sharing; unless that was the credential used (ie.: machine auth).  In which case we will be sending a flag "WasMachineAuthenticated" to show that it is a machines (a computer) credential.  The BETA version does not include that yet, it is still to be released, but will ship before FCS.

Sharing contextual information, like 'hostname' is something we do share with full ISE. I.e.: Plus licensing w/ profiling, etc..  That's because it would fall under a heading of "context", and not passive Identity. However, I'm not sure yet which fields are consumed by SW - exactly - and I will check on that.  With that said, here's another caveat, we aren't consuming hostname from Syslogs, we consume it via DHCP SPAN, DNS probe, even the Active Directory Probe.

Looking forward to learning more about your use case.

-Aaron

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-07-2016 05:36 AM

Hi Wendell,

Thanks for the feedback.  Could you explain how used the hostname information previously?  What I mean is, did you log into Infoblox to get that information when you wanted to track down users?

Regards,

-Tim

0 Helpful

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee

‎11-07-2016 05:37 AM

I'm very interested in your request, and would love it if you could you elaborate more.

In the meantime, let me outline what our goals were/are in the ISE 2.2 release:  I beleive you already understand the goal is to share identities from ISE (passive or active), and passive identities only with ISE-PIC.  That means the username and ip address are the key items to share, but also reaching into the ID Source and grabbing other important attributes like UPN, Group Membership, GUID, etc.

Syslog sources are there to provide those username & IP-Mappings.  IP address management (IPAM) syslogs are a little special.  We use the IPAM syslogs to learn MAC addresses for L2/L3 binding.  We also use it to ensure fidelity of the information in the session directory.  If a DHCP lease has expired, clean up the session. If the IP Address is assigned to a new host, clean up the session, etc. etc.

The only information from a Syslog that gets merged into the pxGrid topic that SteathWatch is consuming is the username, mac address & ip address. Hostname was never one of the items identified for passive ID sharing; unless that was the credential used (ie.: machine auth).  In which case we will be sending a flag "WasMachineAuthenticated" to show that it is a machines (a computer) credential.  The BETA version does not include that yet, it is still to be released, but will ship before FCS.

Sharing contextual information, like 'hostname' is something we do share with full ISE. I.e.: Plus licensing w/ profiling, etc..  That's because it would fall under a heading of "context", and not passive Identity. However, I'm not sure yet which fields are consumed by SW - exactly - and I will check on that.  With that said, here's another caveat, we aren't consuming hostname from Syslogs, we consume it via DHCP SPAN, DNS probe, even the Active Directory Probe.

Looking forward to learning more about your use case.

-Aaron

0 Helpful

Go to solution
wmccarty
Level 1
Level 1

‎11-07-2016 05:51 AM

on a lot of windows systems,  the local firewall is enable so that you can not query the hostname directly over the network,

however,  even though it is firewalled,  it is still provides the hostname to the dhcp server, and is logged in the dhcp messages

I would like to see the machine name taken from the dhcp logs and put into the "Client Host Name" field that is already in the stealthwatch flow record.

a lot of our departments name the machines so they can easily be tracked,  some of them put the property or service tag number as part of the name.

some examples:

<30>Nov 7 07:44:45 128.163.111.8 dhcpd[26220]: DHCPACK on 10.21.170.5 to 10:a5:d0:e1:90:b4 (android-4f02c10f579a521b) via eth1 relay 10.20.148.16 lease-duration 3600 (RENEW)


<30>Nov 7 07:44:45 128.163.37.116 dhcpd[3320]: DHCPACK on 10.21.200.194 to b8:44:d9:28:97:0e (peters-iPhone) via eth1 relay 10.21.200.7 lease-duration 3600 (RENEW)


<30>Nov 7 07:44:45 128.163.111.8 dhcpd[26220]: DHCPACK on 172.22.121.1 to 38:59:f9:81:3a:96 (EDPVA00401L11) via eth1 relay 172.22.120.5 lease-duration 3600 (RENEW)


<30>Nov 7 07:44:45 128.163.111.8 dhcpd[26220]: DHCPACK

on 172.25.41.90 to f8:ca:b8:4b:59:b8 (FA-HRADM-L026) via eth1 relay 172.25.226.2 lease-duration 691199 (RENEW)


<30>Nov 7 07:44:46 128.163.37.116 dhcpd[3320]: DHCPACK on 10.21.184.198 to e8:b2:ac:29:4b:c1 (TPVHITFSN024275) via eth1 relay 10.21.184.8 lease-duration 3600 (RENEW)



0 Helpful

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee
In response to wmccarty

‎11-07-2016 07:04 AM

This is really helpful, thanks.

We get the hostname without needing to parse the syslog.  We get it via Profiling.  chyps & kegagnon; Wendell brings up a good point about possibly leveraging the syslog to aid with that profiling attribute.

Wendell:  You can get that field over to Stealthwatch via pxGrid with full ISE, and I will check with the PM/PO's on SW's ability to consume that field as you've requested and reply back here with the answer I get.

-Aaron

0 Helpful

Go to solution
wmccarty
Level 1
Level 1
In response to Aaron Woland

‎11-07-2016 07:08 AM

thanks,

fyi,  we are not set up to do span of dhcp traffic and not all our users use AD,  so dhcp syslog would be the only way we can get their hostnames if they are not using AD.

wendell

0 Helpful

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee
In response to wmccarty

‎11-07-2016 07:12 AM

Hey Wendell,

For ISE, this ends up boiling down to a profiling design question.  We use IP Helpers to get DHCP traffic to ISE probes, for example.  Or even Device sensor on the Cisco Switch / WLC.

There are lots of ways to get the data to ISE.  SPAN is just one of them

Aaron

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents