Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Cisco Identity Services Engine


The Cisco Identity Services Engine (ISE) DSM for JSA accepts syslog events from Cisco ISE appliances with log sources configured to use the UDP Multiline protocol.

The following table describes the specifications for the Cisco Identity Services Engine DSM:

Table 1: Cisco Identity Services Engine DSM Specifications





DSM name

Cisco Identity Services Engine

RPM file name


Supported versions

1.1 to 2.2


UDP Multiline Syslog

Event format


Recorded event types

Device events

Automatically discovered?


Includes identity?


Includes custom properties?


More information

( products/security/identity-services-engine/index.html)

To integrate Cisco ISE with with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA Console:
    • DSMCommon RPM

    • Cisco Identity Services Engine DSM RPM

  2. Configure your Cisco ISE appliance to send UDP Multiline Syslog events with JSA.
  3. Add a Cisco Identity Services Engine log source on the JSA Console. The following table describes the parameters that require specific values to collect events from Cisco ISE:

    Table 2: Cisco ISE Log Source Parameters



    Log Source type

    Cisco Identity Service Engine

    Protocol Configuration

    UDP Multiline Syslog

    Log Source Identifier

    Type the IP address to identify the log source or appliance that provides UDP Multiline Syslog events to JSA.

    Listen Port

    Type 517 as the port number used by JSA to accept incoming UDP Multiline Syslog events. The valid port range is 1 - 65535.

    Note: UDP multiline syslog events can be assigned to any port that is not in use, other than port 514. The default port that is assigned to the UDP Multiline protocol is UDP port 517. If port 517 is used in your network, for a list of ports that are used by JSA.

    To edit a saved configuration to use a new port number:

    In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.

    1. Click Save.

    2. On the Admin tab, select Advanced >Deploy Full Configuration.

    After the full deployment completes, JSA can receive events on the updated listen port.

    When you click Deploy Full Configuration, JSA restarts all services, resulting in a gap in data collection for events and flows until the deployment completes.

    Message ID Pattern

    Type the following regular expression (regex) needed to filter the event payload messages.

    CISE_\S+ (\d{10})

  4. Configure a remote logging target on your Cisco ISE appliance.
  5. Configure the event logging categories on your Cisco ISE appliance.
  6. Verify that JSA is configured correctly.

    The following table shows a sample normalized event message from Cisco Identity Services Engine:

    Table 3: Cisco Identity Services Engine Sample Message

    Event name

    Low level category

    Sample log message


    Admin Login Successful

    <18>Jan 26 15:00:15 cisco.ise CISE_Administrative_and_ Operational_Audit 0000003812 1 0 2015-01-26 15:00:15.510 +00:00 00 00008620 51001 NOTICE Administrator -Login: Administrator authenticatio n succeeded, ConfigVersionId=84, AdminInterface=GUI, AdminIPAddress =x.x.x.x, AdminSession=0DE37 0E55527018DAA537F60AAAAAAAA, Admin Name=adminUser, OperationMessage Text=Administrator authentica tion successful,


    General Authentication Failed

    <181>Oct 31 16:35:39 isi CISE_Failed_Attempts 0000199854 2017-10-31 16:35:39.919 +01:00 0021309086 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=4, Device IP Address=x.x.x.x, Device Port=33987, DestinationIPAddress=x.x.x.x, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=admin, Protocol=Radius, RequestLatency=8, NetworkDeviceName=device1, User-Name=admin, NAS-Identifier=12782c2b-747a- 4894-9689-000000000000, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=efb762c5-9082-4c79-a101- 000000000000, IsThirdPartyDeviceFlow=false, AcsSessionID=isi/298605301/000000, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Network Access, FailureReason=22056 Subject not found in the applicable identity store(s), Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15006, Step=15041, Step=15006, Step=15013, Step=24210, Step=24216, Step=22056, Step=22058, Step=22061, Step=11003

To create a single-line syslog event from a multiline event, configure a log source to use the UDP multiline protocol. The UDP multiline syslog protocol uses a regular expression to identify and reassemble the multiline syslog messages into single event payload.

Creating a Remote Logging Target in Cisco ISE

To forward syslog events to JSA, you must configure your Cisco ISE appliance with a remote logging target.

  1. Log in to your Cisco ISE Administration Interface.
  2. From the navigation menu, select Administration >System >Logging >Remote Logging Targets.
  3. Click Add, and then configure the following parameters:.

    Table 4: Cisco ISE Log Source Parameters




    Type a unique name for the remote target system.


    You can uniquely identify the target system for users.

    IP Address

    Type the IP address of the JSA console or Event Collector.


    Type 517 or use the port value that you specified in your Cisco ISE log source for JSA.

    Facility Code

    From the Facility Code list, select the syslog facility to use for logging events.

    Maximum Length

    Type 1024 as the maximum packet length allowed for the UDP syslog message.

  4. Click Submit.

    The remote logging target is created for JSA.

You are now ready to configure the logging categories that are forwarded by Cisco ISE to JSA.

Configuring logging categories in Cisco ISE

The Cisco ISE DSM for JSA can receive syslog events from multiple event logging categories. To define which events are forwarded to JSA, you must configure each event logging category on your Cisco ISE appliance.

  1. Log in to your Cisco ISE Administration Interface.
  2. From the navigation menu, select Administration > System > Logging > Logging Categories.

    The following table shows supported event logging categories for the Cisco ISE DSM:

    Table 5: Cisco ISE Event Logging Categories

    Event logging category

    AAA audit

    Failed attempts

    Passed authentication

    AAA diagnostics

    Administrator authentication and authorization

    Authentication flow diagnostics

    Identity store diagnostics

    Policy diagnostics

    Radius diagnostics



    Radius accounting

    Administrative and operational audit

    Posture and client provisioning audit

    Posture and client provisioning diagnostics


    System diagnostics

    Distributed management

    Internal operations diagnostics

    System statistics

  3. Select an event logging category, and then click Edit.
  4. From the Log Severity list, select a severity for the logging category.
  5. In the Target field, add your remote logging target for JSA to the Select box.
  6. Click Save.
  7. Repeat this process for each logging category that you want to forward to JSA.

    Events that are forwarded by Cisco ISE are displayed on the Log Activity tab in JSA.