Cisco Identity Services Engine
The Cisco Identity Services Engine (ISE) DSM for JSA accepts syslog events from Cisco ISE appliances with log sources configured to use the UDP multiline syslog protocol.
The following table describes the specifications for the Cisco Identity Services Engine DSM:
Parameter |
Value |
---|---|
Manufacturer |
Cisco |
DSM name |
Cisco Identity Services Engine |
RPM file name |
SM-CiscoISE-JSA_version-build_number.noarch.rpm. |
Supported versions |
1.1 to 2.2 |
Protocol |
UDP Multiline Syslog |
Event format |
Syslog |
Recorded event types |
Device events |
Automatically discovered? |
No |
Includes identity? |
Yes |
Includes custom properties? |
No |
More information |
(https://www.cisco.com/c/en/us/ products/security/identity-services-engine/index.html) |
To integrate Cisco ISE with with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA Console:
DSMCommon RPM
Cisco Identity Services Engine DSM RPM
Configure your Cisco ISE appliance to send UDP multiline syslog events with JSA.
Add a Cisco Identity Services Engine log source on the JSA Console. The following table describes the parameters that require specific values to collect events from Cisco ISE:
Table 2: Cisco ISE Log Source Parameters Parameter
Description
Log Source type
Cisco Identity Service Engine
Protocol Configuration
UDP Multiline Syslog
Log Source Identifier
Type the IP address to identify the log source or appliance that provides UDP Multiline Syslog events to JSA.
Listen Port
Type 517 as the port number used by JSA to accept incoming UDP Multiline Syslog events. The valid port range is 1 - 65535.
Note:UDP multiline syslog events can be assigned to any port that is not in use, other than port 514. The default port that is assigned to the UDP Multiline protocol is UDP port 517. If port 517 is used in your network, for a list of ports that are used by JSA.
To edit a saved configuration to use a new port number:
In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.
Click Save.
On the Admin tab, select Advanced >Deploy Full Configuration.
After the full deployment completes, JSA can receive events on the updated listen port.
When you click Deploy Full Configuration, JSA restarts all services, resulting in a gap in data collection for events and flows until the deployment completes.
Message ID Pattern
Type the following regular expression (regex) needed to filter the event payload messages.
CISE_\S+ (\d{10})
For a complete list of UDP multiline syslog protocol parameters and their values, see UDP multiline syslog protocol configuration options in Protocol Configuration Options.
Configure a remote logging target on your Cisco ISE appliance.
Configure the event logging categories on your Cisco ISE appliance.
To create a single-line syslog event from a multiline event, configure a log source to use the UDP multiline protocol. The UDP multiline syslog protocol uses a regular expression to identify and reassemble the multiline syslog messages into single event payload.
Configuring a Remote Logging Target in Cisco ISE
To forward syslog events to JSA, you must configure your Cisco ISE appliance with a remote logging target.
Log in to your Cisco ISE Administration Interface.
From the navigation menu, select Administration >System >Logging >Remote Logging Targets.
Click Add, and then configure the following parameters:.
Table 3: Cisco ISE Log Source Parameters Option
Description
Name
Type a unique name for the remote target system.
Description
You can uniquely identify the target system for users.
IP Address
Type the IP address of the JSA console or Event Collector.
Port
Type 517 or use the port value that you specified in your Cisco ISE log source for JSA.
Facility Code
From the Facility Code list, select the syslog facility to use for logging events.
Maximum Length
Type 1024 as the maximum packet length allowed for the UDP syslog message.
Click Submit.
Configure the logging categories that are forwarded by Cisco ISE to JSA.
Configuring logging categories in Cisco ISE
The Cisco ISE DSM for JSA can receive syslog events from multiple event logging categories. To define which events are forwarded to JSA, you must configure each event logging category on your Cisco ISE appliance.
Log in to your Cisco ISE Administration Interface.
From the navigation menu, select Administration > System > Logging > Logging Categories.
The following table shows supported event logging categories for the Cisco ISE DSM:
Table 4: Cisco ISE Event Logging Categories Event logging category
AAA audit
Failed attempts
Passed authentication
AAA diagnostics
Administrator authentication and authorization
Authentication flow diagnostics
Identity store diagnostics
Policy diagnostics
Radius diagnostics
Guest
Accounting
Radius accounting
Administrative and operational audit
Posture and client provisioning audit
Posture and client provisioning diagnostics
Profiler
System diagnostics
Distributed management
Internal operations diagnostics
System statistics
Select an event logging category, and then click Edit.
From the Log Severity list, select a severity for the logging category.
In the Target field, add your remote logging target for JSA to the Select box.
Click Save.
Repeat this process for each logging category that you want to forward to JSA.
Events that are forwarded by Cisco ISE are displayed on the Log Activity tab in JSA.
Cisco Identity Services Engine Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.
Cisco Identity Services Engine sample message when you use the UDP multiline syslog protocol
The following sample event shows that the endpoint failed authentication several times for the same scenario and was rejected.
<181>Aug 9 07:36:33 cisco.ise.test CISE_Failed_Attempts
0038700411 4 0 2018-08-09 07:36:3 3.085 +00:00 0762919669 5449 NOTICE
RADIUS: Endpoint failed authentication of the same scenario severa
l times and was rejected, ConfigVersionId=582, Device IP Address=172.23.104.125,
Device Port=43017, De stinationIPAddress=172.23.100.5, DestinationPort=1812,
RadiusPacketType=AccessRequest, UserName=qradar , Protocol=Radius,
NetworkDeviceName=TE-ST-TES-TTE-ST1, User-Name=12a3412341b2 NAS-IPAddress=
172.23.1 04.125, NAS-Port=8, Service-Type=Framed, Framed-MTU=1300,
State=37CPMSessionID=7d6817ac01e6f8114dee6b5 b\;42SessionID=cisco.ise.test/319421106/32782955\;,
Called-Station-ID=00-00-5E-00-53-83:LOFIMO, Callin g-Station-ID=00-00-5E-00-53-A2,
NAS-Identifier=TE-ST-TES-TTE-ST1 Acct-Session-Id=5b6bee4d/ 00:00:5E:00:
53:64/33045704, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0)
VLAN, Tunnel-Medium- Type=(ta g=0) 802, Tunnel-Private-Group-ID=(tag=0)
40, Chargeable-User-Identity=\}, Location- Capable=00:00:00:01,