Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco Identity Services Engine

 

The Cisco Identity Services Engine (ISE) DSM for JSA accepts syslog events from Cisco ISE appliances with log sources configured to use the UDP multiline syslog protocol.

The following table describes the specifications for the Cisco Identity Services Engine DSM:

Table 1: Cisco Identity Services Engine DSM Specifications

Parameter

Value

Manufacturer

Cisco

DSM name

Cisco Identity Services Engine

RPM file name

SM-CiscoISE-JSA_version-build_number.noarch.rpm.

Supported versions

1.1 to 2.2

Protocol

UDP Multiline Syslog

Event format

Syslog

Recorded event types

Device events

Automatically discovered?

No

Includes identity?

Yes

Includes custom properties?

No

More information

(https://www.cisco.com/c/en/us/ products/security/identity-services-engine/index.html)

To integrate Cisco ISE with with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA Console:
    • DSMCommon RPM

    • Cisco Identity Services Engine DSM RPM

  2. Configure your Cisco ISE appliance to send UDP multiline syslog events with JSA.
  3. Add a Cisco Identity Services Engine log source on the JSA Console. The following table describes the parameters that require specific values to collect events from Cisco ISE:

    Table 2: Cisco ISE Log Source Parameters

    Parameter

    Description

    Log Source type

    Cisco Identity Service Engine

    Protocol Configuration

    UDP Multiline Syslog

    Log Source Identifier

    Type the IP address to identify the log source or appliance that provides UDP Multiline Syslog events to JSA.

    Listen Port

    Type 517 as the port number used by JSA to accept incoming UDP Multiline Syslog events. The valid port range is 1 - 65535.

    Note: UDP multiline syslog events can be assigned to any port that is not in use, other than port 514. The default port that is assigned to the UDP Multiline protocol is UDP port 517. If port 517 is used in your network, for a list of ports that are used by JSA.

    To edit a saved configuration to use a new port number:

    In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.

    1. Click Save.

    2. On the Admin tab, select Advanced >Deploy Full Configuration.

    After the full deployment completes, JSA can receive events on the updated listen port.

    When you click Deploy Full Configuration, JSA restarts all services, resulting in a gap in data collection for events and flows until the deployment completes.

    Message ID Pattern

    Type the following regular expression (regex) needed to filter the event payload messages.

    CISE_\S+ (\d{10})

    For a complete list of UDP multiline syslog protocol parameters and their values, see UDP multiline syslog protocol configuration options in Protocol Configuration Options.

  4. Configure a remote logging target on your Cisco ISE appliance.
  5. Configure the event logging categories on your Cisco ISE appliance.

To create a single-line syslog event from a multiline event, configure a log source to use the UDP multiline protocol. The UDP multiline syslog protocol uses a regular expression to identify and reassemble the multiline syslog messages into single event payload.

Configuring a Remote Logging Target in Cisco ISE

To forward syslog events to JSA, you must configure your Cisco ISE appliance with a remote logging target.

  1. Log in to your Cisco ISE Administration Interface.
  2. From the navigation menu, select Administration >System >Logging >Remote Logging Targets.
  3. Click Add, and then configure the following parameters:.

    Table 3: Cisco ISE Log Source Parameters

    Option

    Description

    Name

    Type a unique name for the remote target system.

    Description

    You can uniquely identify the target system for users.

    IP Address

    Type the IP address of the JSA console or Event Collector.

    Port

    Type 517 or use the port value that you specified in your Cisco ISE log source for JSA.

    Facility Code

    From the Facility Code list, select the syslog facility to use for logging events.

    Maximum Length

    Type 1024 as the maximum packet length allowed for the UDP syslog message.

  4. Click Submit.

Configure the logging categories that are forwarded by Cisco ISE to JSA.

Configuring logging categories in Cisco ISE

The Cisco ISE DSM for JSA can receive syslog events from multiple event logging categories. To define which events are forwarded to JSA, you must configure each event logging category on your Cisco ISE appliance.

  1. Log in to your Cisco ISE Administration Interface.
  2. From the navigation menu, select Administration > System > Logging > Logging Categories.

    The following table shows supported event logging categories for the Cisco ISE DSM:

    Table 4: Cisco ISE Event Logging Categories

    Event logging category

    AAA audit

    Failed attempts

    Passed authentication

    AAA diagnostics

    Administrator authentication and authorization

    Authentication flow diagnostics

    Identity store diagnostics

    Policy diagnostics

    Radius diagnostics

    Guest

    Accounting

    Radius accounting

    Administrative and operational audit

    Posture and client provisioning audit

    Posture and client provisioning diagnostics

    Profiler

    System diagnostics

    Distributed management

    Internal operations diagnostics

    System statistics

  3. Select an event logging category, and then click Edit.
  4. From the Log Severity list, select a severity for the logging category.
  5. In the Target field, add your remote logging target for JSA to the Select box.
  6. Click Save.
  7. Repeat this process for each logging category that you want to forward to JSA.

    Events that are forwarded by Cisco ISE are displayed on the Log Activity tab in JSA.

Cisco Identity Services Engine Sample Event Message

Use this sample event message to verify a successful integration with JSA.

Note

Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

Cisco Identity Services Engine sample message when you use the UDP multiline syslog protocol

The following sample event shows that the endpoint failed authentication several times for the same scenario and was rejected.

<181>Aug 9 07:36:33 cisco.ise.test CISE_Failed_Attempts 0038700411 4 0 2018-08-09 07:36:3 3.085 +00:00 0762919669 5449 NOTICE RADIUS: Endpoint failed authentication of the same scenario severa l times and was rejected, ConfigVersionId=582, Device IP Address=172.23.104.125, Device Port=43017, De stinationIPAddress=172.23.100.5, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=qradar , Protocol=Radius, NetworkDeviceName=TE-ST-TES-TTE-ST1, User-Name=12a3412341b2 NAS-IPAddress= 172.23.1 04.125, NAS-Port=8, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=7d6817ac01e6f8114dee6b5 b\;42SessionID=cisco.ise.test/319421106/32782955\;, Called-Station-ID=00-00-5E-00-53-83:LOFIMO, Callin g-Station-ID=00-00-5E-00-53-A2, NAS-Identifier=TE-ST-TES-TTE-ST1 Acct-Session-Id=5b6bee4d/ 00:00:5E:00: 53:64/33045704, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium- Type=(ta g=0) 802, Tunnel-Private-Group-ID=(tag=0) 40, Chargeable-User-Identity=\}, Location- Capable=00:00:00:01,