Splunk® Supported Add-ons

Splunk Add-on for Cisco ISE

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Cisco ISE to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ISE

To enable to Splunk Enterprise to receive data from your Cisco ISE remote system logging, complete these steps:

  1. Create a remote logging target.
  2. Add the target to the appropriate logging categories.

The following sections provide detailed configuration instructions.

For more information, see the Logging section of the Cisco ISE User Guide.

Create remote logging target

  1. In Cisco ISE, choose Administration > System > Logging > Remote Logging Targets.
  2. Click Add.
  3. Configure the following fields:
    Field Value Description
    Name Splunk Target name, also used below in the category
    IP Address 1.1.1.2 (for example) IP address of the Splunk Enterprise system
    Port 514 (for example) Port that you are using on the Splunk Enterprise system or syslog aggregator (for example, rsyslog, syslog-ng) as a network input.
    Target Type UDP Best practice. NOT the default.
    Maximum Length 8192 Events will be broken if you use a smaller value.
    You can tune all other fields at your discretion.
  4. Click Save.
  5. Go to the Remote Logging Targets page and verify the creation of the new target.

Add the new target to your desired logging categories

  1. Choose Administration > System > Logging > Logging Categories.
  2. Click the radio button next to the category that you want to edit, then click Edit.
  3. Add the Splunk target that you created to the following categories. These are default log collection settings and can be tuned at your discretion:
    • AAA Audit
    • Failed Attempts
    • Passed Authentications
    • AAA Diagnostics
    • Accounting
    • RADIUS Accounting
    • Administrative and Operational Audit
    • Posture and Client Provisioning Audit
    • Posture and Client Provisioning Diagnostics
    • MDM
    • Profiler
    • System Diagnostics
    • System Statistics
  4. Click Save.
  5. Go to the Logging Categories page and verify the configuration changes that were made to the specific categories.

Confirm your installation and setup

To confirm that events are showing up correctly, run the following search over the last 15 minutes:

sourcetype=cisco:ise:syslog

If the search returns events from your ISE server, then you have successfully configured the add-on.

Last modified on 03 December, 2020
PREVIOUS
Install the Splunk Add-on for Cisco ISE
  NEXT
Upgrade an indexer cluster from Splunk Add-on for Cisco ISE version 3.0.0

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters