This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Ingest Logs from Cisco ISE to Cortex XDR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Ingest Logs from Cisco ISE to Cortex XDR

Go to solution
weejh
L1 Bithead

‎03-21-2022 10:39 PM

Hi 

 

Anyone successfully ingest logs from Cisco ISE to Cortex XDR via syslog?

 

I've activated the syslog collector of broker VM for TCP514 and format set to auto detect, following this documentation, and configured the Cisco ISE to forward the logs to broker VM accordingly.

 

However, when I hover over the Syslog Collector link in the Apps field of the broker VM, the metrices of Syslog Collector is always 0 logs/s for logs received or logs sent, see screenshots for detail.

 

Any guidance if I missed anything?

Are there any methods to verify the syslog is ingesting to Cortex XDR properly?

 

Thanks.

 

weejh_0-1647926849547.png

 

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
weejh
L1 Bithead

‎03-23-2022 11:57 PM

Hi

Hi

 

Thanks for the update.

 

Yes, I need to confirm Cisco ISE syslog format, which I missed it earlier.

 

 

View solution in original post

0 Likes Likes

Go to solution
weejh
L1 Bithead
In response to eluis

‎03-24-2022 12:09 AM

Hi

 

Thanks for the update.

 

I believe the Cisco ISE syslog format may not be  CEF or LEEF formatted and need to create necessary parsing rules.

 

For broker vm is configured to listen to TCP514 and firewall enabled to allow broker vm IP with TCP514. 

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
WSeldenIII
L3 Networker

‎03-23-2022 01:55 PM

Hi @weejh I suggest to by confirming the CISCO ISE Syslog format. Cortex XDR can receive Syslog from vendors that use CEF or LEEF formatted over Syslog (TLS not supported). You may reference the external data ingestion vendor support for additional details on log/data types and vendor support (E.g. custom external sources). 

0 Likes Likes

Go to solution
eluis
L4 Transporter

‎03-23-2022 03:44 PM

In case that your Cisco is not sending CEF or LEEF, you could still parse the logs so that xdr will, so to say, "understand" them. 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/create-pars...
I would also check how are you sending them and how is broker vm listening to them. Meaning as WSeldenIII pointed (TLS is not supported), which port are you using ? standard 514 port for syslog ? tcp/udp (confirmed/unconfirmed). Check also that no Fw is dropping your traffic and that cisco can reach broker vm (network routes, etc...) 

0 Likes Likes

Go to solution
weejh
L1 Bithead

‎03-23-2022 11:57 PM

Hi

Hi

 

Thanks for the update.

 

Yes, I need to confirm Cisco ISE syslog format, which I missed it earlier.

 

 

0 Likes Likes

Go to solution
weejh
L1 Bithead
In response to eluis

‎03-24-2022 12:09 AM

Hi

 

Thanks for the update.

 

I believe the Cisco ISE syslog format may not be  CEF or LEEF formatted and need to create necessary parsing rules.

 

For broker vm is configured to listen to TCP514 and firewall enabled to allow broker vm IP with TCP514. 

0 Likes Likes
  • 2 accepted solutions
  • 3384 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks