on 02-27-2017 01:19 PM - edited on 12-20-2023 07:21 PM by hslai
The syslog providers in ISE-PIC or ISE have several predefined syslog templates for popular network services that are commonly used in enterprise networks. If your network service is not listed as one of the predefined templates and you would like to use it for identity information, you can create your own syslog header parser and template. All you will need is an example syslog message from the provider. In this example, I will use the following syslog example to create a custom header and template:
<181>May 19 15:14:08 EST sys_server Passed-Authentication 000011 1 0 2013-04-01 14:06:05 info ah auth: mac 1cab:a7e6:cf7f ip 10.5.50.52 username astrong
To begin, navigate to Providers -> Syslog Providers in ISE-PIC (or in ISE, Work Centers / PassiveID / Providers / Syslog Providers):
ISE-PIC or ISE reads the header in each syslog received and looks for the host in the location where the host should be, according to RFC 5424 / section-6 or, if configured, in the location configured in the custom header; if it cannot locate the host field, it will drop the event. By default, ISE separates each syslog header by space characters and looks for the host field at the first or the fourth position. If the host is not found as evident by "... Received unknown syslog message format. ..." in passiveid-syslog.log after PassiveID enabled in DEBUG, please create the custom header. To create a customer header click the "Customer Header" button:
Paste the example syslog message that you collected from the network service you want to use and paste it into the window:
At this point we need to correctly identify the hostname of the network service that is sending the syslog message to ISE-PIC. To do that, we have to indicate the separator and the postition of the hostname in the message. In my example it is 5 positions into the message and each position is separated by a space. Once you have the separator and position properly configured, ISE-PIC will show the correct hostname. Click submit once finished:
We can now proceed with configuring our provider. Click the "Add" icon to continue:
Next fill out all the fields with the appropriate information.
Note on Host FQDN: After locating the host from each syslog received, ISE-PIC or ISE will try to match it to one of the syslog providers in the following formats:
|
|
Currently, the comparison is case-sensitive so that my-syslog-server.ise.local != MY-SYSLOG-SERVER.ISE.LOCAL |
|
If the host not matched, the DEBUG logs an entry like this: DEBUG ... com.cisco.idc.syslog-probe- Receive message from unkown client, Droping message. Identity Mapping.event-info = No tcp syslog client is defined for this message, Close this socket channel , Identity Mapping.probe = Syslog , Identity Mapping.server = myISE-hostname , |
Before clicking "Submit," we need to create a custom template for the body of the syslog message that will allow us to extract the identity information. To begin, click "New"
In the example syslog message above, there are three pieces of information I want to extract: The username, IP and MAC address. The template can help us do that just like it did with the customer header. Paste your example line of syslog into the box and fill out the required fields. We have to tell ISE-PIC what kind of mapping operation this template will be. To identify the message as a new mapping, enter the identifier (auth: in this example) in the "New Mapping" field. Next, we need to fill out the user data information so ISE-PIC can identify the IP, username and MAC address. These identifiers tell the parser the data we want immediately follows. Lastly, we use some RegEx to extract the data. If you've configured the template correctly, the parser will correctly extract the identity information you are interested in. Be sure to click save once finished.
Here is the RegEx I used:
IP and MAC: ([A-F0-9a-f:.]+)
Username: ([a-zA-Z0-9\_]+)
We now have our new syslog provider configured and can click "Submit."
ISE-PIC or ISE must be able to resolve the host FQDN of the syslog provider. If it can't, you won't be able to save the new provider:
At this point, ISE-PIC or ISE is ready to accept syslog messages and extract the identity information. You can verify syslog messages are being correctly parsed by taking a look at the Live Sessions.
In case our lab does not have the network service to generate the syslog events, we may test this using GNU Netcat or the like:
echo 'May 19 15:14:08 EST sys_server Passed-Authentication 000011 1 0 2013-04-01 14:06:05 info ah auth: mac 1cab:a7e6:cf7f ip 10.5.50.52 username astrong' | nc -4 myISE-IPv4 11468 |
where myLinuxHost is a place-holder for the hostname or the IPv4 address of the Linux test box, myISE-IPv4 is a place-holder for the ISE's IPv4 address, and 11468 is the TCP port for a syslog provider. If using UDP syslog, use '-u' and change the port number. |
hi Timothy
Thanks to this useful docs. I want to ask you somethink about syslog parsing with PIC using 802.1x EAP FAST auth.
as you know , if we are using EAP-FAST (user+machine) auth. in deployment then Username appears as user+machine. And it sends this user info as is via PxGrid to FMC
you think , can we send only user info to Pxgrid Subscribers using this syslog parsing method for the logs we received from MNT node? Do you have any suggestions?
i encountered the below problem and bug CSCvd73842
https://community.cisco.com/t5/firepower/fmc-ise-integration-sgt/td-p/3798067
Thanks
Murat
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: