Hello Team,
I have installed:
Splunk Add-on for Cisco Identity Services
Splunk for Cisco Identity Services (ISE)
I do received all syslogs from my ISE server, can see it with search host=1.2.3.4, but i do not have sourcetype: sourcetype=cisco:ise:syslog
My syslogs from ISE are of generic sourcetype=udp:514 (i have a lot of hosts sending udp/514 syslogs to splunk)
As a result my application/dashboard does not show any logs, i guess it's configured to search for "sourcetype=cisco:ise:syslog".
Question:
Should not the application ask me to configure that ? How to fix it, without breaking what i do have currently ?
Do i need to create manually that sourcetype ?
When going to sourcetypes i do not see it (the only sourcetype with string "cisco" is for asa), but when trying to create "cisco:ise:syslog" i do receive error that source type already exists.
Why ?
One more: i have clicked "Set up" for "Splunk Add-on for Cisco Identity Services" - but all the settings on that page are for remediation and pxgrid protocol - i do not need that. Just clicked save. I hope that i am not forced to konfigure pxgrid to have a basic ISE dashboard working ?
I have also checked i can see multiple event types which are related to ISE, but i do see only one search related to ISE:
"Lookup - Locations" - i guess it's not enough - is not it ?
Why ?
Thanks,
↧