How to parse log in “message” fieled cisco-ise

Elastic Stack Logstash
1

How to parsing this log logstash

Hey everyone i am facing a problem with logstash. I want to parse log that are coming from cisco-ise but all information i want is inside message fields :

IMG_2175
IMG_21751006×461 159 KB

I want parsing like
NetworkDeviceName
User
Device IP Address
Etc …

Can someone help me

2

Use a kv filter.

1 Like
3

Can you guide me how to use it because itry this
filter {
kv {
source => "message"
field_split => "\n"
value_split => "="
}
}
But didnt work for me

4

You will need a kv like this:

        kv {
            source => "[message]"
            field_split => ", "
            value_split => "="
            target => "kv"
            whitespace => "strict"
        }

My recomendation is that you first isolate the KV part of the message using grok or dissect, in the example you shared the KV part of the message starts in ConfigVersionId, unfortunately I can not try to parse it because you didn't share the message as plain text.

Anothe thing is, you need to configure your Cisco ISE to use message lenght of 8192 if it isn't already.

I recommend that you check how Elastic parse these messages in the Elastic Agent integration and try to replicate the filters in Logstash, most of them are pretty simple to replicate.

5

That is not a useful response. You need to tell us what you do not like about the results.

You could try kv { field_split_pattern => ", " }.

6

as @leandrojmp pointed out first isolate the KV part.

Here one of my configs for inspiration

input {
  pipeline {
    address => "pl-ise"
  }
}

# example data
# CISE_Passed_Authentications 0042561386 2 1  NetworkDeviceGroups=Location#All Locations#T-22#LSU1
# CISE_Passed_Authentications 0042561387 2 0 2023-05-08 22:44:59.153 +02:00 0633546920 5203 NOTICE Device-Administration: Session Authorization succeeded
# CISE_Passed_Authentications 0042561387 2 1  SelectedAuthenticationIdentityStores=Internal Users
# CISE_Passed_Authentications 0042561388 3 0 2023-05-08 22:44:59.213 +02:00 0633546942 5201 NOTICE Passed-Authentication: Authentication succeeded
# CISE_Passed_Authentications 0042561388 3 1  Step=24210
# CISE_Passed_Authentications 0042561388 3 2  IPSEC=IPSEC#Is IPSEC Device#No
# CISE_Passed_Authentications 0042561389 3 0 2023-05-08 22:44:59.274 +02:00 0633546954 5201 NOTICE Passed-Authentication: Authentication succeeded

filter {

  grok {
    match => { "message" => "%{NOTSPACE:CategoryName} %{NUMBER:MgsID} %{NUMBER:SeqTotal:int} %{INT:SegNumber:int} %{GREEDYDATA:kv_data}" }
  }

  kv {
    source => "kv_data"
    trim_value => "<>\[\],"
    remove_field => "kv_data"
  }

  mutate {
      add_field => { "[@metadata][index]" => "ise-%{+YYYY.MM}" } 
  }

}

output {
  pipeline {
      send_to => "pl-splunk-out"
  }
  pipeline {
      send_to => "pl-elastic-out"
  }
}
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.