This is what I use to parse those logs with logstash. It would be nice if an equivalent ISE fileset would be added to CISCO module in filebeat
filter {
mutate {
rename => { "host" => "host.ip" }
add_field => { "host.name" => "%{host.ip}"}
}
grok {
match => { "message" => [
#<181>Dec 20 15:11:30 bbbb CISE_Passed_Authentications 0000003579 7 0 2019-12-20 15:11:30.539 +00:00 0098113147 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=79, Device IP Address=10.2.80.103, DestinationIPAddress=10.1.128.144, DestinationPort=1812, UserName=DOMAIN\\AAA, Protocol=Radius, RequestLatency=12, NetworkDeviceName=XXXX, User-Name=XXX, NAS-IP-Address=10.2.80.103, NAS-Port=50148, Service-Type=Framed, Framed-IP-Address=10.2.10.63, Framed-MTU=1500, State=37CPMSessionID=0A0250670000411C24734840\;33SessionID=bbbb/364024023/9139809\;, Called-Station-ID=B4-A8-B9-FA-FE-30, Calling-Station-ID=28-00-A8-08-CD-00, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/48, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0A0250670000411C24734840, cisco-av-pair=method=dot1x, cisco-av-pair=vlan-id=10, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-1115-a80e-6753d45bf11c, IsThirdPartyDeviceFlow=false,
"<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:ise.log_type} %{NUMBER:ise.log_sequence} %{INT:ise.log_lines_split} %{INT:ise.log_line_sequence} %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})? %{ISO8601_TIMEZONE}? %{NUMBER:ise.log_number} %{NUMBER:ise.log_id} %{DATA:ise.log_severity} %{DATA:ise.log_id_description},%{GREEDYDATA:kvfields}",
#<181>Dec 20 16:53:56 bbbb CISE_Passed_Authentications 0000003629 3 1 AcsSessionID=bbbb/364024023/9165172, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=VLAN_Thinclient, UseCase=Host Lookup, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=ThinClient, UserType=Host, CPMSessionID=0A0250690000229EBCD5C02B, EndPointMACAddress=D0-00-00-00-A2-0A, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown,
"<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:ise.log_type} %{NUMBER:ise.log_sequence} %{INT:ise.log_lines_split} %{INT:ise.log_line_sequence} %{GREEDYDATA:kvfields}"
]
}
add_tag => [ "cisco_ise" ]
tag_on_failure => [ ]
}
if "cisco_ise" in [tags] {
kv {
field_split => ", "
value_split => "="
# trim_key => "\s"
source => "kvfields"
# remove_tag => ["cisco_ise"]
}
mutate {
remove_field => ["kvfields"]
}
} else {
grok {
match => { "message" => [
#<189>116006: Dec 5 17:26:09.511: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/6, changed state to up
#<189>128327: Dec 12 09:00:31.541: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi2/0/6: PD removed (DDDADSW03-2)
"^<%{POSINT:syslog_pri}>%{INT}: %{SYSLOGTIMESTAMP:syslog.timestamp}: %%{CISCO_REASON:cisco.facility}-%{INT:cisco.severity_level}-%{CISCO_REASON:cisco.facility_mnemonic}: %{GREEDYDATA:message}",
#<14>Dec 5 18:25:26 ddddcrs01 Webdav Event: download, Path: /some/path/27-Mar -2019.pdf, File/Folder: File, Size: 82.90 KB, User: DOMAIN\xxx, IP: 172.16.0.150
#<14>Dec 12 12:02:00 ddddcrs01 Webdav Event: upload, Path: /some/path/27-Mar -2019.pdf, File/Folder: File, Size: 643.10 KB, User: DOMAIN\xxx, IP: 172.16.0.150
"<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:service}: %{WORD:action}, Path: (%{GREEDYDATA:path_src} -> %{GREEDYDATA:path_dst}|%{GREEDYDATA:path_dst}), File/Folder: %{WORD:path_type}(?:, Size: (NA|%{BASE10NUM:file_size} %{WORD:file_size_unit}))?(?:, User: (?:%{WORD:user.domain}\\)?%{USERNAME:user.name})?(?:, IP: %{IP:source.ip})?",
#<14>Dec 12 10:01:03 ddddcrs01 Connection: User [DOMAIN\xxx] from [DDD0886(10.2.10.68)] via [CIFS(SMB2)] accessed shared folder [fff_share]
"<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{WORD:service}: User \[(%{IPORHOST:user.domain})?\\?%{DATA:user.name}\] from \[(%{IPORHOST:source.domain})?\\?\(%{IPORHOST:source.ip}\)\] via \[%{WORD:sharing.protocol_dialect}\(%{WORD:sharing.protocol}\)\] accessed shared folder \[%{DATA:sharing.target_folder}\]",
#<12>Dec 20 15:38:04 ddddcrs01 Connection: User [DOMAIN\xxx] from [172.16.0.150] failed to log in via [WebDAV] due to authorization failure.
"<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:service}: User \[(?:%{IPORHOST:user.domain})\\?%{DATA:user.name}\] from \[(%{IPORHOST:source.domain})?\\?%{IPORHOST:source.ip}\] failed to log in via \[(%{WORD:sharing.protocol_dialect})?\\?%{WORD:sharing.protocol}\] due to authorization failure"
]
}
}
}
syslog_pri {
use_labels => true
}
}