Splunk® Supported Add-ons

Splunk Add-on for Cisco ISE

Sourcetypes for the Splunk Add-on for Cisco ISE

The Cisco ISE logs record information useful for auditing, fault management, and troubleshooting. The Splunk Add-on for Cisco ISE provides the index-time and search-time knowledge for Cisco log events in the following format:

Sourcetype Description CIM data models
cisco:ise:syslog cisco-ise-system-statistics n/a
cisco-ise-authentication Authentication
cisco-ise-passed-authentication Authentication
cisco-ise-failed-authentication Authentication
cisco-ise-guest-authentication Authentication
cisco-ise-guest-authentication-failed n/a
cisco-ise-profiler n/a
cisco-ise-provision-succeeded n/a
cisco-ise-provision-failed n/a
cisco-ise-alarm n/a
cisco-ise-alert Alerts
cisco-ise-change n/a
cisco-ise-endpoint-service Endpoint Service
cisco-ise-traffic Network Traffic
cisco-ise-change-all Change:All_Changes
cisco-ise-change-account Change:Account_Management
cisco-ise-inventory Inventory
cisco-ise-guest-authentication-failed-attempts Authentication

If all the following conditions are true, the Splunk Add-on for Cisco ISE automatically sets the source type for Cisco ISE records as cisco:ise:syslog:

  • Your Splunk platform consumes syslog data either directly or through a syslog aggregator.
  • You configured your Cisco ISE devices to send logs either directly to your Splunk platform instance or syslog to your aggregator.
  • The Cisco ISE records include sourcetype=syslog.

If you have configured the Splunk platform to acquire your Cisco ISE log data in a different way, you should manually set the sourcetype to cisco:ise:syslog at the input phase. For more information about configuring sourcetypes, see the Configure sourcetypes chapter in the Getting Data In manual, part of the Splunk Enterprise documentation.

Last modified on 04 August, 2022
Lookups for the Splunk Add-on for Cisco ISE   Troubleshoot the Splunk Add-on for Cisco ISE

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters