Sourcetypes for the Splunk Add-on for Cisco ISE
The Cisco ISE logs record information useful for auditing, fault management, and troubleshooting. The Splunk Add-on for Cisco ISE provides the index-time and search-time knowledge for Cisco log events in the following format:
Sourcetype | Description | CIM data models |
---|---|---|
cisco:ise:syslog
|
cisco-ise-system-statistics | n/a |
cisco-ise-authentication | Authentication | |
cisco-ise-passed-authentication | Authentication | |
cisco-ise-failed-authentication | Authentication | |
cisco-ise-guest-authentication | Authentication | |
cisco-ise-guest-authentication-failed | n/a | |
cisco-ise-profiler | n/a | |
cisco-ise-provision-succeeded | n/a | |
cisco-ise-provision-failed | n/a | |
cisco-ise-alarm | n/a | |
cisco-ise-alert | Alerts | |
cisco-ise-change | n/a | |
cisco-ise-endpoint-service | Endpoint Service | |
cisco-ise-traffic | Network Traffic | |
cisco-ise-change-all | Change:All_Changes | |
cisco-ise-change-account | Change:Account_Management | |
cisco-ise-inventory | Inventory | |
cisco-ise-guest-authentication-failed-attempts | Authentication |
If all the following conditions are true, the Splunk Add-on for Cisco ISE automatically sets the source type for Cisco ISE records as cisco:ise:syslog
:
- Your Splunk platform consumes syslog data either directly or through a syslog aggregator.
- You configured your Cisco ISE devices to send logs either directly to your Splunk platform instance or syslog to your aggregator.
- The Cisco ISE records include
sourcetype=syslog
.
If you have configured the Splunk platform to acquire your Cisco ISE log data in a different way, you should manually set the sourcetype to cisco:ise:syslog
at the input phase. For more information about configuring sourcetypes, see the Configure sourcetypes chapter in the Getting Data In manual, part of the Splunk Enterprise documentation.
Lookups for the Splunk Add-on for Cisco ISE | Troubleshoot the Splunk Add-on for Cisco ISE |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!