cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Creating Custom Syslog Templates in ISE-PIC

1136
Views
7
Helpful
1
Comments

ISE-PIC has several predefined syslog templates for popular network services that are commonly used in enterprise networks.  If your network service isn't listed as one of the predefined templates and you would like to use it for identity information, you can create your own syslog header parser and template.  All you will need is an example syslog message from the provider.  In this example, I will use the following syslog example to create a custom header and template:

<181>May 19 15:14:08 sys_server Passed-Authentication 000011 1 0 2013-04-01 14:06:05 info ah auth: mac 1cab:a7e6:cf7f ip 10.5.50.52 username astrong

Create a new syslog provider

To begin, navigate to Providers -> Syslog Providers:

Before we can add our new syslog provider, we have to create a custom header.  This custom header will tell ISE-PIC that this particular syslog header format contain information in the body of the syslog message that we want to use for identity information.  Without it, ISE-PIC will drop the message and it will never make to the parser.  To create a customer header click the "Customer Header" button:

Paste the example syslog message that you collected from the network service you want to use and paste it into the window:

At this point we need to correctly identify the hostname of the network service that is sending the syslog message to ISE-PIC.  To do that, we have to indicate the separator and the postition of the hostname in the message.  In my example it is 5 positions into the message and each position is separated by a space.  Once you have the separator and position properly configured, ISE-PIC will show the correct hostname.  Click submit once finished:

We can now proceed with configuring our provider.  Click the "Add" icon to continue:

Next fill out all the fields with the appropriate information.  Before clicking "Submit," we need to create a custom parser for the body of the syslog message that will allow us to extract the identity information we want.  To begin, click "New"

In my example syslog message, there are three pieces of information I want to extract:  The username, IP and MAC address.  The template can help us do that just like it did with the customer header.  Paste your example line of syslog into the box and fill out the required fields.  We have to tell ISE-PIC what kind of mapping operation this template will be.  To identify the message as a new mapping, enter the identifier (auth: in this example) in the "New Mapping" field.  Next, we need to fill out the user data information so ISE-PIC can identify the IP, username and MAC address. These identifiers tell the parser the data we want immediately follows.  Lastly, we use some regex to extract the data.  If you've configured the template correctly, the parser will correctly extract the identity information you are interested in.  Be sure to click save once finished.

Here is the regex I used:

IP and MAC:  ([A-F0-9a-f:.]+)

Username:  ([a-zA-Z0-9\_]+)

We now have our new syslog provider configured and can click "Submit."

ISE-PIC must be able to resolve the host FQDN of the syslog provider.  If it can't, you won't be able to save the new provider:

At this point, ISE-PIC is ready to accept syslog messages and extract the identity information.  You can verify syslog messages are being correctly parsed by taking a look at the Live Sessions.

Comments
Enthusiast

hi Timothy

 

Thanks to this useful docs. I want to ask you somethink about syslog parsing with PIC using 802.1x EAP FAST auth. 

 

as you know , if we are using EAP-FAST (user+machine) auth. in deployment then Username appears as user+machine. And it sends this user info as is via PxGrid to FMC

 

you think , can we send only user info to Pxgrid Subscribers using this syslog parsing method for the logs we received from MNT node?  Do you have any suggestions?

 

i encountered the below problem and bug CSCvd73842  

https://community.cisco.com/t5/firepower/fmc-ise-integration-sgt/td-p/3798067 

 

Thanks 

 

Murat