Ingest Logs from Cisco ISE to Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ingest Logs from Cisco ISE to Cortex XDR

L1 Bithead

Hi 

 

Anyone successfully ingest logs from Cisco ISE to Cortex XDR via syslog?

 

I've activated the syslog collector of broker VM for TCP514 and format set to auto detect, following this documentation, and configured the Cisco ISE to forward the logs to broker VM accordingly.

 

However, when I hover over the Syslog Collector link in the Apps field of the broker VM, the metrices of Syslog Collector is always 0 logs/s for logs received or logs sent, see screenshots for detail.

 

Any guidance if I missed anything?

Are there any methods to verify the syslog is ingesting to Cortex XDR properly?

 

Thanks.

 

weejh_0-1647926849547.png

 

2 accepted solutions

Accepted Solutions

L1 Bithead

Hi

Hi

 

Thanks for the update.

 

Yes, I need to confirm Cisco ISE syslog format, which I missed it earlier.

 

 

View solution in original post

Hi

 

Thanks for the update.

 

I believe the Cisco ISE syslog format may not be  CEF or LEEF formatted and need to create necessary parsing rules.

 

For broker vm is configured to listen to TCP514 and firewall enabled to allow broker vm IP with TCP514. 

View solution in original post

4 REPLIES 4

L3 Networker

Hi @weejh I suggest to by confirming the CISCO ISE Syslog format. Cortex XDR can receive Syslog from vendors that use CEF or LEEF formatted over Syslog (TLS not supported). You may reference the external data ingestion vendor support for additional details on log/data types and vendor support (E.g. custom external sources). 

L4 Transporter

In case that your Cisco is not sending CEF or LEEF, you could still parse the logs so that xdr will, so to say, "understand" them. 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/data-management/create-pars...
I would also check how are you sending them and how is broker vm listening to them. Meaning as WSeldenIII pointed (TLS is not supported), which port are you using ? standard 514 port for syslog ? tcp/udp (confirmed/unconfirmed). Check also that no Fw is dropping your traffic and that cisco can reach broker vm (network routes, etc...) 

L1 Bithead

Hi

Hi

 

Thanks for the update.

 

Yes, I need to confirm Cisco ISE syslog format, which I missed it earlier.

 

 

Hi

 

Thanks for the update.

 

I believe the Cisco ISE syslog format may not be  CEF or LEEF formatted and need to create necessary parsing rules.

 

For broker vm is configured to listen to TCP514 and firewall enabled to allow broker vm IP with TCP514. 

  • 2 accepted solutions
  • 4182 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!