The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Cisco Identity Services Engine (ISE) is a robust, centralized network security policy management platform. It enables organizations to enforce secure access policies for endpoints, network devices, and users across wired, wireless, and VPN networks.

Supported Version(s)

  • Identity Services Engine 3.2

Requirements

  • Graylog 6.1.7+

  • The default length of remote log target messages configured in the Cisco ISE GUI is set to 1024. This will truncate messages and prevent proper parsing by Illuminate. You MUST configure this value to be 8192 so the full message is sent to Graylog. See the Cisco documentation for more information.

Stream Configuration

This technology pack includes one stream:

  • "Illuminate:Cisco Device Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • "Cisco Devices Event Log Messages"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

The following log delivery agents are supported:

  • Syslog (TCP)

  • Syslog (UDP)

Hint: The message field has been replaced by a shorter message highlighting key fields and values to reduce license utilization. Activate the full_message option in the input if needed.

Log Format Example

<18>Jul 31 03:39:53 DEVICE-01 CISE_Failed_Attempts 0000001161 1 0 2024-12-18 13:10:56.252 +00:00 0045534800 5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new, ConfigVersionId=53, Device IP Address=192.168.1.1, DestinationIPAddress=192.168.1.1, UserName=blah.blah, AcsSessionID=ATH-ISE-POL03/522862485/1041418, SelectedAccessService=RADIUS 802.1X Wireless, RequestLatency=36, FailureReason=5440 Endpoint abandoned EAP session and started new, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12319, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12319, Step=12810, Step=12812, Step=12803, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=5440, NetworkDeviceName=HOME-HOME, NetworkDeviceGroups=Location#All Locations#HOME#HOME, NetworkDeviceGroups=Device Type#All Device Types#Wireless Controller, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, User-Name=blah.blah, NAS-IP-Address=192.168.1.1, NAS-Port=1615, Called-Station-ID=HOME-AP1:Digital, Calling-Station-ID=1e-f7-a9-dd-d3-f7, NAS-Identifier=HOME-HOME:Home Digital, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0B10A8C000171CA2D9E45D65, EndPointMACAddress=01-01-01-01-01-01, ISEPolicySetName=802.1X Wireless - Digital, StepLatency=84=13745, StepData=4= DEVICE.Device Type, StepData=5= Radius.NAS-Port-Type, StepData=6= Normalised Radius.RadiusFlowType, StepData=7= Radius.Called-Station-ID, StepData=8= DEVICE.Location, TLSCipher=ECDHE-RSA-AES256-GCM-SHA384, TLSVersion=TLSv1.2, DTLSSupport=Unknown, RadiusFlowType=Wireless802_1x, Network Device Profile=Cisco, Location=Location#All Locations#HOME#HOME, Device Type=Device Type#All Device Types#Wireless Controller, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; },

Events Processed by This Technology Pack

The Cisco ISE content pack supports the following event IDs. Generic processing will be provided for event IDs not listed.

Parsed Fields

Event Code Event Message
5200 Authentication succeeded
5201 Authentication succeeded
5202 Command Authorization succeeded
5203 Session Authorization succeeded
5205 Dynamic Authorization succeeded
5238 Endpoint authentication problem was fixed
5240 Previously rejected endpoint was released to continue authentications
5400 Authentication failed
5405 RADIUS Request dropped
5411 Supplicant stopped responding to ISE
5435 NAS conducted several failed authentications of the same scenario
5436 RADIUS packet already in the process
5440 Endpoint abandoned EAP session and started new
5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session.
5449 Endpoint failed authentication of the same scenario several times and was rejected

GIM Categorization

Vendor Event Message GIM Category GIM Subcategory GIM Event Type Code
Authentication succeeded authentication authentication.default 109999
Command Authorization succeeded authentication authentication.default 109999
Dynamic Authorization succeeded authentication authentication.default 109999
Previously rejected endpoint was released to continue authentications authentication authentication.default 109999
Endpoint authentication problem was fixed authentication authentication.default 109999
Session Authorization succeeded authentication authentication.default 109999

Cisco ISE Spotlight Content Pack

Cisco ISE offers a dashboard with 3 tabs:

Cisco ISE Overview

Authentication

Network