LSO : Syslog - Cisco ISE (Mapping Doc)

This document explains the changes required to apply new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project for the Syslog - Cisco ISE log source type.

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Prerequisites

Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
Enable the new MPE rules in the LogRhythm System Monitor.
- Select log source type Syslog - Cisco ISE.
- Enable log processing policy LogRhythm Default v2.0.
  
  For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each page contains detailed information on parsing changes and new log processing settings.

Log Message Type	Event Type
Accounting Messages	Accounting Request Received
AD-Connector Messages	General Active Directory Information
Administrative And Operational Audit	General Audit
Advanced License Problems	License Error
Alarm Information	Alarm Event
Anomalous Behavior Detected	Suspicious Activity
Catch All : Level 1	General Information
Catch All : Level 2 - Passed Authentications	Authentication Activity
Catch All : Level 3 - CISE_Profiler	Suspicious Activity
Catch All : Level 3 - Passed Authentications	Authentication Activity
Catch All : Passed Authentications	Authentication Activity
Certificate And Authentication Messages	Certificate Revocation List Download Failure
Cisco Access Success	General Access
Cisco AuthType	General Authentication Information
Cisco UPDOWN Message	General Operations
CISE Failed Attempts Format 2	Connection Attempt
CISE Posture And Client Provisioning Audit	General Auditing Message
CISE_Authentication_Flow_Diagnostics	Diagnostic Information
CISE_Posture_and_Client_Provisioning_Audit - 2	General Policy Compliance Information
Data Purge Audit	Database Maintenance
Data Purging Operations	Database Maintenance
Devices Successfully Registered	Device Registered
DOT1X FAIL	General Operations
EAP Authentication Information	Authentication Activity
EAP Connection Timeout	Connection Timeout
EPM POLICY	General Operations
Failed Attempts	General Action Failure
Failed Attempts AccessReject Message	Authentication Failure Activity
Failed Attempts Deny Access Message	Authentication Failure Activity
Failed Attempts Format: 1	General Action Failure
Failed Attempts IPSEC	General Action Failure
Guest Message	General POLICY Information
High Load Average	Overload On Total
Identity Stores Diagnostics	Diagnostic Information
Last Message Repeated	Last Message Repeated
Log Session Messages	General Information-Only Event
MDM Server Connection Failure	Server Not Responding
Messages Not Received	Message Not Located
Misc Messages	General Information Log Message
Monitoring Data Purge Audit	Service Monitoring
Passed Authentication Group Information	Group Membership Information
Passed Authentications	Authentication Activity
Posture Check	General Policy Compliance Information
RADIUS Accounting	Accounting Request
Radius Accounting Start-Stop Request	Network Session Created
RADIUS Authentication Request Dropped	Authentication Failure Activity
Radius Authorization Policy Messages	RADIUS Access-Reject Received
RADIUS Diagnostics	General RADIUS Message
SSL Error	General SSL Error
System Statistics	Performance Statistics
TACACS Diagnostics	General TACACS Message
TACACS+ Accounting	General TACACS Message
TIME SHIFT DETECTED	System Time Information

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports, system investigations, system report templates, and system tails as part of LSO.

Updates to AIE Rules

No changes

Updates to System Reports

No changes

Updates to System Investigations

No changes

Updates to System Report Templates

No changes

Updates to System Tails

No changes