You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Log messages from ISE are frequently large (up to 8k) and in the ISE server "Logging Target" there are configuration settings to make sure that maximum message length should not exceed one frame. ISE splits the message into multi-part entries with tagging, ie. part 1, part 2. When they arrive at the rsyslog collector running the AMA agent, the log collector forwards frame by frame to log analytics as individual messages causing parsing errors in the syslog table since each part is not a complete message.
To Reproduce
Configure ISE system with a remote logging target a VM running rsyslog
Configure target with a maximum message length of 1k
On the rsyslog VM configure AMA agent forwarding to Sentinel
Make sure ISE emits a log entry larger than 1k
Query Syslog table in Sentinel / LA for
Syslog
| where ProcessName has_any ("CSCO", "CISE")
Expected behavior
The Cisco ISE solution should come with guidelines on how to configure the flow to mitigate the deviation from the syslog RFC. Are there specific configurations that needs to be done on the ISE server, the network stack or on the syslog forwarding server to handle jumbo messages?
Screenshots
Quering the same message in log analytics / Sentinel
Syslog
| where Facility == "local6"
| where EventTime == "2024-04-18T12:44:53Z"
Finding the same message parsed by CiscoISEEvent by looking at the TimeGenerated into the Syslog. There are no other identifying fields parsed.
CiscoISEEvent
| where TimeGenerated between (todatetime('2024-04-18T12:43:03Z') .. todatetime('2024-04-18T12:43:04Z'))
The text was updated successfully, but these errors were encountered:
Hi @realolap, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 13-09-2024 date, we will be closing this issue.
Thanks!
Describe the bug
Log messages from ISE are frequently large (up to 8k) and in the ISE server "Logging Target" there are configuration settings to make sure that maximum message length should not exceed one frame. ISE splits the message into multi-part entries with tagging, ie. part 1, part 2. When they arrive at the rsyslog collector running the AMA agent, the log collector forwards frame by frame to log analytics as individual messages causing parsing errors in the syslog table since each part is not a complete message.
To Reproduce
Configure ISE system with a remote logging target a VM running rsyslog
Configure target with a maximum message length of 1k
On the rsyslog VM configure AMA agent forwarding to Sentinel
Make sure ISE emits a log entry larger than 1k
Query Syslog table in Sentinel / LA for
Expected behavior
The Cisco ISE solution should come with guidelines on how to configure the flow to mitigate the deviation from the syslog RFC. Are there specific configurations that needs to be done on the ISE server, the network stack or on the syslog forwarding server to handle jumbo messages?
Screenshots
Quering the same message in log analytics / Sentinel
Syslog
| where Facility == "local6"
| where EventTime == "2024-04-18T12:44:53Z"
Finding the same message parsed by CiscoISEEvent by looking at the TimeGenerated into the Syslog. There are no other identifying fields parsed.
CiscoISEEvent
| where TimeGenerated between (todatetime('2024-04-18T12:43:03Z') .. todatetime('2024-04-18T12:43:04Z'))
The text was updated successfully, but these errors were encountered: