ISE-PIC has several predefined syslog templates for popular network services that are commonly used in enterprise networks. If your network service isn't listed as one of the predefined templates and you would like to use it for identity information, you can create your own syslog header parser and template. All you will need is an example syslog message from the provider. In this example, I will use the following syslog example to create a custom header and template:
<181>May 19 15:14:08 sys_server Passed-Authentication 000011 1 0 2013-04-01 14:06:05 info ah auth: mac 1cab:a7e6:cf7f ip 10.5.50.52 username astrong
Create a new syslog provider
To begin, navigate to Providers -> Syslog Providers:
Before we can add our new syslog provider, we have to create a custom header. This custom header will tell ISE-PIC that this particular syslog header format contain information in the body of the syslog message that we want to use for identity information. Without it, ISE-PIC will drop the message and it will never make to the parser. To create a customer header click the "Customer Header" button:
Paste the example syslog message that you collected from the network service you want to use and paste it into the window:
At this point we need to correctly identify the hostname of the network service that is sending the syslog message to ISE-PIC. To do that, we have to indicate the separator and the postition of the hostname in the message. In my example it is 5 positions into the message and each position is separated by a space. Once you have the separator and position properly configured, ISE-PIC will show the correct hostname. Click submit once finished:
We can now proceed with configuring our provider. Click the "Add" icon to continue:
Next fill out all the fields with the appropriate information. Before clicking "Submit," we need to create a custom parser for the body of the syslog message that will allow us to extract the identity information we want. To begin, click "New"
In my example syslog message, there are three pieces of information I want to extract: The username, IP and MAC address. The template can help us do that just like it did with the customer header. Paste your example line of syslog into the box and fill out the required fields. We have to tell ISE-PIC what kind of mapping operation this template will be. To identify the message as a new mapping, enter the identifier (auth: in this example) in the "New Mapping" field. Next, we need to fill out the user data information so ISE-PIC can identify the IP, username and MAC address. These identifiers tell the parser the data we want immediately follows. Lastly, we use some regex to extract the data. If you've configured the template correctly, the parser will correctly extract the identity information you are interested in. Be sure to click save once finished.
Here is the regex I used:
IP and MAC: ([A-F0-9a-f:.]+)
We now have our new syslog provider configured and can click "Submit."
ISE-PIC must be able to resolve the host FQDN of the syslog provider. If it can't, you won't be able to save the new provider:
At this point, ISE-PIC is ready to accept syslog messages and extract the identity information. You can verify syslog messages are being correctly parsed by taking a look at the Live Sessions.
Hi, I recieved a question from a customer to transfer AnyConnect licenses to a new FTD 2130 firewall. I found documentation, the ordering guide, that one can´t transfer AnyConnect VPN only licenses. But what about AnyConnect plus and APEX? ...
Hi All, I've searched but to no avail. A client has requested the ability for staff to be notified of a DLP alert on outgoing emails, hold the email and then allow the sender to review and release the email (outgoing). Is this possible and If so how?...
Couldn't find this anywhere, so made it myself, its a group that excludes all RFC1918 addressing and contains all other IPv4 addresses. It includes RFC3330 but I don't think that will concern most people. object-group network INTERNETnetwork-ob...