ISE-PIC has several predefined syslog templates for popular network services that are commonly used in enterprise networks. If your network service isn't listed as one of the predefined templates and you would like to use it for identity information, you can create your own syslog header parser and template. All you will need is an example syslog message from the provider. In this example, I will use the following syslog example to create a custom header and template:
<181>May 19 15:14:08 sys_server Passed-Authentication 000011 1 0 2013-04-01 14:06:05 info ah auth: mac 1cab:a7e6:cf7f ip 10.5.50.52 username astrong
Create a new syslog provider
To begin, navigate to Providers -> Syslog Providers:
Before we can add our new syslog provider, we have to create a custom header. This custom header will tell ISE-PIC that this particular syslog header format contain information in the body of the syslog message that we want to use for identity information. Without it, ISE-PIC will drop the message and it will never make to the parser. To create a customer header click the "Customer Header" button:
Paste the example syslog message that you collected from the network service you want to use and paste it into the window:
At this point we need to correctly identify the hostname of the network service that is sending the syslog message to ISE-PIC. To do that, we have to indicate the separator and the postition of the hostname in the message. In my example it is 5 positions into the message and each position is separated by a space. Once you have the separator and position properly configured, ISE-PIC will show the correct hostname. Click submit once finished:
We can now proceed with configuring our provider. Click the "Add" icon to continue:
Next fill out all the fields with the appropriate information. Before clicking "Submit," we need to create a custom parser for the body of the syslog message that will allow us to extract the identity information we want. To begin, click "New"
In my example syslog message, there are three pieces of information I want to extract: The username, IP and MAC address. The template can help us do that just like it did with the customer header. Paste your example line of syslog into the box and fill out the required fields. We have to tell ISE-PIC what kind of mapping operation this template will be. To identify the message as a new mapping, enter the identifier (auth: in this example) in the "New Mapping" field. Next, we need to fill out the user data information so ISE-PIC can identify the IP, username and MAC address. These identifiers tell the parser the data we want immediately follows. Lastly, we use some regex to extract the data. If you've configured the template correctly, the parser will correctly extract the identity information you are interested in. Be sure to click save once finished.
Here is the regex I used:
IP and MAC: ([A-F0-9a-f:.]+)
We now have our new syslog provider configured and can click "Submit."
ISE-PIC must be able to resolve the host FQDN of the syslog provider. If it can't, you won't be able to save the new provider:
At this point, ISE-PIC is ready to accept syslog messages and extract the identity information. You can verify syslog messages are being correctly parsed by taking a look at the Live Sessions.
I am having an issue with incoming rules. Here is my running config. : Saved:: Serial Number: JAD21290D2D: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores):ASA Version 9.8(1)!hostname ciscoasaenable password $sha512$500...
Question - Where is the "posture requirement policy" from the headend stored on the endpoint? How accessible is it, what security controls do we have to prevent this data from being maliciously used by an attacker if he/she gets access to the endpoint an...
Hello, I have a couple of firewalls on FMC 1000, and two internet routers in front of the firewalls.I have enabled anyconnect VPN and a nat was added to use anyconnect and RA VPN.then i have configured PBR to use one internet link for some vlans and ...