Splunk® Supported Add-ons

Splunk Add-on for Cisco ISE

Release history for the Splunk Add-on for Cisco ISE

The latest version of the Splunk Add-on for Cisco ISE is version 4.2.0. Please see Release notes for the Splunk Add-on for Cisco ISE for the release notes of the latest version.


Version 4.2.0 of the Splunk Add-on for Cisco ISE was released on April 13, 2021.

Version 4.1.0

Version 4.1.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.3, 8.0, 8.1
CIM 4.19.0
Platforms Platform independent
Vendor Products Cisco ISE version 2.0, 2.4, 2.7 and 3.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 4.1.0 of the Splunk Add-on for Cisco ISE has the following new features.

  • Added Support for new event types cisco-ise-endpoint-service, cisco-ise-change and cisco-ise-traffic
  • Added support for Endpoint Services, Change and Network Traffic DataModels for the above mentioned eventtypes respectively.
  • For below mentionedMESSAGE_CODE, eventtype=cisco-ise-change is introduced
    • 52002, 60086, 58022, 58023, 58024, 60131, 60132, 60198, 5232, 5233, 60085, 60190, 60197, 60214, 51100, 60461
  • For below mentionedMESSAGE_CODE, eventtype=cisco-ise-endpoint-service is introduced
    • 11010, 34127, 34126, 58001, 58002, 58005, 11009, 25004, 34050, 32000, 60234, 60235, 87751, 87604, 13002, 87608, 87609, 91004, 91018
  • For below mentionedMESSAGE_CODE, eventtype=cisco-ise-traffic is introduced
    • 61025
  • Added support for CIM v4.19.0.
  • Support for Cisco ISE product version 3.0

Fixed issues

Version 4.1.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues.

If no issues appear below, no issues have yet been reported:


Known issues

Version 4.1.0 of the Splunk Add-on for Cisco ISE contains the following known issues.

If no issues appear below, no issues have yet been reported:


Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Cisco ISE does not incorporate any third-party software or libraries.


Version 4.0.0

Version 4.0.0 of the Splunk Add-on for Cisco ISE was released on July 10, 2020.

About this release

Version 4.0.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Platforms Platform independent
Vendor Products Cisco ISE version 2.0, 2.4, and 2.7

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 4.0.0 of the Splunk Add-on for Cisco ISE has the following new features.

  • Added the new event type cisco-ise-alert
  • Performance data model mapping has been removed for the cisco-ise-system-statistics event type.
  • The authentication data model mapping has been removed for the following event types:
    • cisco-ise-passed-authentication
    • cisco-ise-failed-authentication
    • cisco-ise-guest-authentication
    • cisco-ise-guest-authentication-failed
  • An authentication data model has been added for the cisco-ise-authentication event type.
  • Change data model mapping has been removed for cisco-ise-provision-succeeded event type.
  • Alert data model has been added for the cisco-ise-alert event type.
  • Auto KV mode has been replaced with custom REGEX for field extractions in order to support different data formats and fix the broken extractions. As a result, search queries may take longer than before.
  • Fixed broken field extractions.
  • Removed the setup page, pxGrid Workflow actions, and EPS workflow actions.
  • Index time of event has been changed to "Current".
  • Added support for Splunk Connect for Syslog.
  • Added support for CIM v4.15.
  • Update for support for Cisco ISE version 2.7.
  • Data Collection supports Syslog and Splunk Connect for Syslog.

Fixed issues

Version 4.0.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues.

If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2020-05-19 ADDON-25848 Cisco ISE: Splunk Cloud DATETIME_CONFIG problem

Known issues

Version 4.0.0 of the Splunk Add-on for Cisco ISE contains the following known issues.

If no issues appear below, no issues have yet been reported:


Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Cisco ISE does not incorporate any third-party software or libraries.


Version 3.0.0

Version 3.0.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.14 and later
Platforms Platform independent
Vendor Products Cisco ISE version 1.x and 2.0

New features

Version 3.0.0 of the Splunk Add-on for Cisco ISE has the following new features.

  • Support for Python3

Fixed issues

Version 3.0.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues.

If no issues appear below, no issues have yet been reported:


Known issues

Version 3.0.0 of the Splunk Add-on for Cisco ISE contains the following known issues.

If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-03-26 ADDON-25848 Cisco ISE: Splunk Cloud DATETIME_CONFIG problem
2018-10-19 ADDON-19966 Issues with setup page on Splunk v7.2.0

Workaround:
web.conf

splunkdConnectionTimeout = 120

Third-party software attributions

Version 3.0.0 of the Splunk Add-on for Cisco ISE incorporates the following third-party software attributions:

  • pxGrid_search.jar library, provided by Cisco and used by their permission.
  • future
  • configparser

Version 2.2.2

Version 2.2.2 of the Splunk Add-on for Cisco ISE was released on December 11, 2018.

About this release

Version 2.2.2 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Platform independent
Vendor Products Cisco ISE version 1.x and 2.0

Known issues

Version 2.2.2 of the Splunk Add-on for Cisco ISE contains the following known issues.

If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2018-10-19 ADDON-19966 Issues with setup page on Splunk v7.2.0

Workaround:
web.conf

splunkdConnectionTimeout = 120

Third-party software attributions

Version 2.2.2 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.


Version 2.2.0

Version 2.2.0 of the Splunk Add-on for Cisco ISE was released on June 8, 2016. This release is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3 and later
CIM 4.3 and later
Platforms Platform independent
Vendor Products Cisco ISE version 1.x and 2.0

Migration from 2.1.1 to 2.2.0

There are no upgrade issues when upgrading from version 2.1.1 to 2.2.0.

Migration from 2.1.0 to 2.2.0

Version 2.1.1 of this add-on changed the timestamp extraction behavior. That release corrected the way that the Splunk platform selects the timestamp from among the three timestamps available in Cisco ISE data. This change may cause a time jump in your data at the upgrade point.

Migration from versions older than 2.1.0 to 2.2.0

If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, note that version 2.2.0 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not as an upgrade.

To migrate from any version prior to 2.1.0 to version 2.2.0:

  1. Download and install version 2.2.0 of the add-on from Splunkbase.
  2. Disable your previous version in the Splunk platform.
  3. Enable version 2.2.0 of the add-on.
  4. Create and adjust your local .conf files as needed to match your old configurations.
  5. Verify your configurations work as expected.

'#Delete the older version of the add-on.

New features

Version 2.2.0 of the Splunk Add-on for Cisco ISE has the following new features.

Date Issue number Description
2016-02-18 ADDON-7816 This release of add-on now supports Cisco ISE version 1.x and 2.0.
2015-04-03 ADDON-3584 You can now customize the log level through the new loglevel.conf configuration file.

Fixed issues

Version 2.2.0 of the Splunk Add-on for Cisco ISE fixes the following issues.

Date Issue number Description
2015-05-05 ADDON-3929 Action values are not CIM-compliant with Authentication data model.
2016-05-06 ADDON-9326 Incorrect regex expressions in the cisco-ise-action-failure-for-auth and cisco-ise-action-blocked event type definitions.
2016-02-25 ADDON-7956 Tag expansions pull in unintended fields and negatively impact search performance.

Known issues

Version 2.2.0 of the Splunk Add-on for Cisco ISE contains the following known issues.

Date Issue number Description
2014-11-24 ADDON-2380 Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf.
2015-07-10 ADDON-2610/
SPL-91709
Setup fails on Windows in Splunk Web when using Splunk platform 6.3 or earlier. Workaround: Upgrade to Splunk platform version 6.4 or set up workflow_actions.conf manually on Windows machines.
2017-11-10 ADDON-15925 Winsock error 10053 when trying to load the setup page of Cisco Identity Services. Workaround: Install the addon on Linux.

Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.



Version 2.1.2

Version 2.1.2 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.0 and above
CIM 3.0 and above
Platforms Platform independent
Vendor Products Cisco ISE version 1.2 & 1.3

Migration from 2.1.1 to 2.1.2

There are no upgrade issues when upgrading from version 2.1.1 to 2.1.2.

Migration from 2.1.0 to 2.1.2

Version 2.1.1 of this add-on changed the timestamp extraction behavior. In that release, the way that the Splunk platform selects the timestamp from among the three timestamps available in Cisco ISE data was corrected. This may cause a time jump in your data at the upgrade point.

Migration from versions older than 2.1.0 to 2.1.2

If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, note that version 2.1.2 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not an upgrade.

To migrate from any version prior to 2.1.0 to version 2.1.2:

  1. Download and install version 2.1.2 of the add-on from Splunkbase
  2. Disable your previous version in the Splunk platform
  3. Enable version 2.1.2 of the add-on
  4. Create and adjust your local .conf files as needed to match your old configurations
  5. Verify your configurations work as expected
  6. Delete the older version of the add-on

Fixed issues

Version 2.1.2 of the Splunk Add-on for Cisco ISE fixes the following issues.

Date Defect number Description
2015-08-25 ADDON-5004 pxGrid_Search.jar file is corrupt.

Known issues

Version 2.1.2 of the Splunk Add-on for Cisco ISE has the following known issues.

Date Defect number Description
2015-05-05 ADDON-3929 Action values are not CIM-compliant with Authentication data model.
2014-11-24 ADDON-2380 Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf.
2015-07-10 ADDON-2610/
SPL-91709
Setup fails on Windows in Splunk Web when using Splunk platform 6.3 or earlier. Workaround: Upgrade to Splunk platform version 6.4 or set up workflow_actions.conf manually on Windows machines.

Third-party software attributions

Version 2.1.2 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.

Version 2.1.1

Version 2.1.1 of the Splunk Add-on for Cisco ISE was compatible with the following software, CIM versions, and platforms.

Splunk Enterprise versions 6.2, 6.1, 6.0
CIM 4.2, 4.1, 4.0, 3.0
Platforms Platform independent
Vendor Products Cisco ISE 1.2

Migration from 2.1.0 to 2.1.1

Version 2.1.1 of this add-on changes the timestamp extraction behavior. In this release, we are correcting the way that Splunk Enterprise selects the timestamp from among the three timestamps available in Cisco ISE data, which may cause a time jump in your data at the upgrade point.

Migration from versions older than 2.1.0 to 2.1.1

If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, note that version 2.1.1 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not an upgrade.

To migrate from any version prior to 2.1.0 to version 2.1.1:

  1. Download and install version 2.1.1 of the add-on
  2. Disable your previous version in Splunk Enterprise
  3. Enable version 2.1.1 of the add-on
  4. Create and adjust your local conf files as needed to match your old configurations
  5. Verify your configurations work as expected
  6. Delete the older version of the add-on

Fixed issues

Version 2.1.1 of the Splunk Add-on for Cisco ISE fixed the following issues.

Date Defect number Description
04/15/15 ADDON-3660 Stanza extract_vendor_action_ise in transforms.conf is not used in props.conf.
04/07/15 ADDON-3479 Add-on overrides Splunk Enterprise's default syslog timestamp configurations.
04/02/15 ADDON-3329 pxgremediate.py command does not return useful information.
03/31/15 ADDON-3423 Problems with authentication & dispatch of custom command, and improve logging.
03/31/15 ADDON-2512 Sourcetypes renamed in a way that broke backwards compatibility.
03/26/15 ADDON-3063 Authentication error received when invoking pxgremediate workflow (custom command). Workaround available from support.
03/26/15 ADDON-3079 Add-on contains *nix specific paths.
03/26/15 ADDON-3077 Potential command execution via malicious configuration file.

Known issues

Version 2.1.1 of the Splunk Add-on for Cisco ISE had the following known issues.

Date Defect number Description
08/19/15 ADDON-5004 pxGrid_Search.jar file is corrupt.
05/05/15 ADDON-3929 Action values are not CIM-compliant with Authentication data model.
04/01/15 ADDON-3560 Timestamp extraction behavior changes in this release, which impacts upgrades. In this release, we are correcting the way that Splunk Enterprise selects the timestamp from among the three timestamps available in Cisco ISE data, which may cause a time jump in your data at the upgrade point.
11/24/14 ADDON-2380 Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf.
07/10/15 ADDON-2610/
SPL-86716
Setup fails on Windows in Splunk Web. Workaround: Set up workflow_actions.conf manually on Windows machines.

Third-party software attributions

Version 2.1.1 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.

Version 2.1.0

Migration

If you have any previous version of the Splunk Add-on for Cisco ISE currently installed, note that version 2.1.0 will not update or replace your current installation. Because the previous community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not an upgrade.

To migrate from any previous version to version 2.1.0:

  1. Download and install version 2.1.0 of the add-on
  2. Disable your previous version in Splunk Enterprise
  3. Enable version 2.1.0 of the add-on
  4. Create and adjust your local conf files as needed to match your old configurations
  5. Verify your configurations work as expected
  6. Delete the older version of the add-on

New features

Version 2.1.0 of the Splunk Add-on for Cisco ISE included the following new features:

Resolved date Issue number Description
11/24/14 ADDON-1181 Normalize data to CIM Authentication and Change Analysis data models.
11/24/14 ADDON-2186 pxGrid remediation support with custom command.
10/27/14 ADDON-2035 Workflow actions to support ISE remediation
10/03/14 ADDON-1819 Pre-built panels for Cisco ISE

Known issues

Version 2.1.0 of the Splunk Add-on for Cisco ISE had the following known issues.

Date Defect number Description
02/02/15 ADDON-2610 Setup fails on Windows in Splunk Web. Workaround: Set up workflow_actions.conf manually on Windows machines.
01/23/15 ADDON-3063 Authentication error received when invoking pxgremediate workflow (custom command). Workaround available from support.
12/09/14 ADDON-2610 Setup fails on Windows machines. Workaround: set up workflow_actions.conf manually.
11/24/14 ADDON-2380 Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf.
09/08/14 ADDON-1543 In multi-router installations, two different timestamps appear in Cisco ISE data, and the second one (after the IP address) is the correct one.

Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.

Last modified on 20 July, 2022
Release notes for the Splunk Add-on for Cisco ISE  

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters