Sourcetypes for the Splunk Add-on for Cisco ISE¶
The Cisco ISE logs record information useful for auditing, fault management, and troubleshooting. The Splunk Add-on for Cisco ISE provides the index-time and search-time knowledge for Cisco log events in the following format:
| Sourcetype | Description | CIM data models |
|---|---|---|
cisco:ise:syslog |
cisco-ise-system-statistics | n/a |
| cisco-ise-authentication | Authentication | |
| cisco-ise-passed-authentication | Authentication | |
| cisco-ise-failed-authentication | Authentication | |
| cisco-ise-guest-authentication | Authentication | |
| cisco-ise-guest-authentication-failed | n/a | |
| cisco-ise-profiler | n/a | |
| cisco-ise-provision-succeeded | n/a | |
| cisco-ise-provision-failed | n/a | |
| cisco-ise-alarm | n/a | |
| cisco-ise-alert | Alerts | |
| cisco-ise-change | n/a | |
| cisco-ise-endpoint-service | Endpoint Service | |
| cisco-ise-traffic | Network Traffic | |
| cisco-ise-change-all | Change:All_Changes | |
| cisco-ise-change-account | Change:Account_Management | |
| cisco-ise-inventory | Inventory | |
| cisco-ise-guest-authentication-failed-attempts | Authentication |
If all the following conditions are true, the Splunk Add-on for Cisco
ISE automatically sets the source type for Cisco ISE records as
cisco:ise:syslog:
- Your Splunk platform consumes syslog data either directly or through a syslog aggregator.
- You configured your Cisco ISE devices to send logs either directly to your Splunk platform instance or syslog to your aggregator.
- The Cisco ISE records include
sourcetype=syslog.
If you have configured the Splunk platform to acquire your Cisco ISE log
data in a different way, you should manually set the sourcetype to
cisco:ise:syslog at the input phase. For more information about
configuring sourcetypes, see the Configure
sourcetypes
chapter in the Getting Data In manual, part of the Splunk Enterprise
documentation.