Syslog - Cisco ISE
Device Details
| Device Name | Cisco ISE |
| Vendor | Cisco |
| Device Type | Identity and Access Control Policy Platform |
| Supported Model Name/Number | N/A |
| Supported Software Version | N/A |
| Collection Method | Syslog |
| Configurable Log Output | N/A |
| Log Source Type | Syslog - Cisco ISE |
| Log Processing Policy | LogRhythm Default V 2.0 |
| Exceptions | N/A |
| Additional Information | https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html |
Supported Log Messages
(List of LR tags used to parse the log information for each message type)
Type | Product Version | Supported Schema Fields |
|---|---|---|
| V 2.0 ACI Binding Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action> |
| V 2.0 AD Connector Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <domainorigin>, <sip> |
| V 2.0 Admin And Operational Audit Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <version>, <status>, <sip>, <session>, <login>, <domainorigin>, <reason>, <objecttype>, <object>, <result>, <sport>, <sname>, <url>, <account> |
| V 2.0 Admin Authentication And Authorization Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action> |
| V 2.0 Authentication Flow Diagnostics Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <dip>, <account>, <session>, <result>, <status> |
| V 2.0 Distributed Management Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action> |
| V 2.0 External MDM Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <account>, <reason>, <dmac>, <status>, <session> |
| V 2.0 Failed Attempts Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <sip>, <sport>, <dip>, <dport>, <account>, <protnum>, <protname>, <status>, <session>, <reason>, <smac>, <dmac>, <snatip>, <dnatip> |
| V 2.0 Guest Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <account>, <smac>, <sip> |
| V 2.0 Identity Stores Diagnostics Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <domainorigin>, <login>, <session>, <result> |
| V 2.0 Internal MDM Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action> |
| V 2.0 Internal Operations Diagnostics Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <version>, <result> |
| V 2.0 Licensing Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action> |
| V 2.0 MDM Diagnostics Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action> |
| V 2.0 My Devices Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <login>, <smac>, <sip>, <group>, <sname>, <status>, <session> |
| V 2.0 Passed Authentications Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <sip>, <dip>, <dport>, <dnatip>, <login>, <sender>, <smac>, <command>, <protname>, <status>, <session>, <group>, <reason> |
| V 2.0 Passive ID Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <sname>, <sip>, <domainorigin>, <result> |
| V 2.0 Policy Diagnostics Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <login>, <protname>, <session>, <policy>, <group>, <result> |
| V 2.0 Posture & Client Provisioning Diagnostic Evt | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action> |
| V 2.0 Posture And Client Provisioning Audit Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <reason>, <dmac>, <url>, <account>, <session>, <dip> |
| V 2.0 Profiler Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <sip>, <smac>, <policy>, <dport>, <dip>, <result>, <account>, <status> |
| V 2.0 RADIUS Accounting Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <sip>, <domainimpacted>, <account>, <status>, <session> |
| V 2.0 RADIUS Diagnostics Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <sip>, <sport>, <dip>, <dport>, <domainimpacted>, <account>, <dnatip>, <status>, <session> |
| V 2.0 System Statistics Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action> |
| V 2.0 TACACS Accounting Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <sip>, <command>, <objecttype>, <account>, <dip>, <object>, <status> |
| V 2.0 TACACS Diagnostics Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action>, <sip>, <sport>, <objecttype>, <session>, <object>, <account>, <dport>, <dip>, <result>, <reason>, <status> |
| V 2.0 Threat Centric NAC Event | N/A | <vendorinfo>, <vmid>, <tag1>, <severity>, <subject>, <action> |
Revision History
| KB Version | Log Type | Change Type | Details |
| KB 7.1.664.0 | Syslog - Cisco ISE | New Log Source Optimization (LSO) policy: LogRhythm Default v2.0 | Optimized new log processing policy for Syslog - Cisco ISE |