Configure Cisco ISE to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ISE
To enable to Splunk Enterprise to receive data from your Cisco ISE remote system logging, complete these steps:
- Create a remote logging target.
- Add the target to the appropriate logging categories.
The following sections provide detailed configuration instructions.
For more information, see the Logging section of the Cisco ISE User Guide provided by Cisco.
Create remote logging target
- In Cisco ISE, choose Administration > System > Logging > Remote Logging Targets.
- Click Add.
- Configure the following fields:
Field Value Description Name Splunk Target name, also used below in the category IP Address 188.8.131.52 (for example) IP address of the Splunk Enterprise system Port 515 (for example) Port that you are using on the Splunk Enterprise system or port configured for TCP or UDP input on Splunk Connect for Syslog (SC4S) or syslog aggregator (for example, rsyslog, syslog-ng) as a network input. Target Type UDP Best practice. NOT the default. Maximum Length 8192 Events will be broken if you use a smaller value.
- Tune all other fields at your discretion.
- Add the new port(s) in order to enable receiving logs into Splunk
- If the "Target Type" is TCP use Settings > Data Inputs > TCP > New Local TCP
- If the "Target Type" is UDP use Settings > Data Inputs > UDP > New Local UCP
- Click Save.
- Go to the Remote Logging Targets page and verify the creation of the new target.
Add the new target to your desired logging categories
- Choose Administration > System > Logging > Logging Categories.
- Click the radio button next to the category that you want to edit, then click Edit.
- Add the Splunk target that you created to the following categories. These are default log collection settings and can be tuned at your discretion:
- AAA Audit
- Failed Attempts
- Passed Authentications
- AAA Diagnostics
- RADIUS Accounting
- Administrative and Operational Audit
- Posture and Client Provisioning Audit
- Posture and Client Provisioning Diagnostics
- System Diagnostics
- System Statistics
- Click Save.
- Go to the Logging Categories page and verify the configuration changes that were made to the specific categories.
Confirm your installation and setup
To confirm that events are showing up correctly, run the following search over the last 15 minutes:
If the search returns events from your ISE server, then you have successfully configured the add-on.
Install the Splunk Add-on for Cisco ISE
Upgrade the Splunk Add-on for Cisco ISE
This documentation applies to the following versions of Splunk® Supported Add-ons: released