Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to handle large Cisco ISE log messages #10945

Open
realolap opened this issue Aug 8, 2024 · 6 comments
Open

Unable to handle large Cisco ISE log messages #10945

realolap opened this issue Aug 8, 2024 · 6 comments
Assignees
@v-rusraut @v-sudkharat
Labels
AMA_Connector

Comments

@realolap
Copy link

realolap commented Aug 8, 2024

Describe the bug
Log messages from ISE are frequently large (up to 8k) and in the ISE server "Logging Target" there are configuration settings to make sure that maximum message length should not exceed one frame. ISE splits the message into multi-part entries with tagging, ie. part 1, part 2. When they arrive at the rsyslog collector running the AMA agent, the log collector forwards frame by frame to log analytics as individual messages causing parsing errors in the syslog table since each part is not a complete message.

To Reproduce
Configure ISE system with a remote logging target a VM running rsyslog
Configure target with a maximum message length of 1k
On the rsyslog VM configure AMA agent forwarding to Sentinel
Make sure ISE emits a log entry larger than 1k
Query Syslog table in Sentinel / LA for

Syslog
| where ProcessName has_any  ("CSCO", "CISE")

Expected behavior
The Cisco ISE solution should come with guidelines on how to configure the flow to mitigate the deviation from the syslog RFC. Are there specific configurations that needs to be done on the ISE server, the network stack or on the syslog forwarding server to handle jumbo messages?

Screenshots
image
Quering the same message in log analytics / Sentinel

Syslog
| where Facility == "local6"
| where EventTime == "2024-04-18T12:44:53Z"

image

Finding the same message parsed by CiscoISEEvent by looking at the TimeGenerated into the Syslog. There are no other identifying fields parsed.

CiscoISEEvent
| where TimeGenerated between (todatetime('2024-04-18T12:43:03Z') .. todatetime('2024-04-18T12:43:04Z'))

image
@v-sudkharat
Copy link
Contributor

Hi @realolap, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!
@v-rusraut
Copy link
Contributor

Hi @realolap,
Please run below query and share result to email id: v-rusraut@microsoft.com.

Syslog
| where ProcessName has_any  ("CSCO", "CISE")

Thanks
@v-rusraut
Copy link
Contributor

Hi @realolap, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 13-09-2024 date, we will be closing this issue.
Thanks!
@realolap
Copy link
Author

Thanks for your feedback @v-rusraut. I will collect the data and get back to you
@v-rusraut
Copy link
Contributor

Hi @realolap,
We are waiting for your response.
Thanks
@v-rusraut
Copy link
Contributor

Hi @realolap,
We are waiting for data.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
AMA_Connector
3 participants
@realolap @v-rusraut @v-sudkharat