diff --git a/packages/cisco_ise/_dev/build/docs/README.md b/packages/cisco_ise/_dev/build/docs/README.md index 0f6918136f7..0d2e35021db 100644 --- a/packages/cisco_ise/_dev/build/docs/README.md +++ b/packages/cisco_ise/_dev/build/docs/README.md @@ -1,6 +1,6 @@ # Cisco ISE -The Cisco ISE integration collects and parses data from Cisco ISE using TCP/UDP. +The Cisco ISE ([More info](https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html)) integration collects and parses data from Cisco ISE using TCP/UDP. ## Compatibility @@ -25,6 +25,8 @@ This module has been tested against `Cisco ISE server version 3.1.0.518`. ## Logs +Reference link for Cisco ISE Syslog: [Here](https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html) + ### log This is the `log` dataset. diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log index a3f4d7ab878..94f92a379a3 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log @@ -10,3 +10,4 @@ <179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083076 1 0 2022-03-03 10:40:58.892 +00:00 0000083143 25046 ERROR AD-Connector: Joined domain is unavailable, AD-Domain=89.160.20.112, AD-Log-Id=1645524126/39, <179>Mar 14 05:59:30 cisco-ise-host CISE_AD_Connector 0000000032 1 0 2022-03-14 05:59:30.442 +00:00 0000000122 25058 ERROR AD-Connector: ISE is not joined to an Active Directory Domain Controller, ConfigVersionId=10, AD-Domain=10.0.14.108, <182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083089 2 1 AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name, +<182>Mar 3 10:42:25 +02:00 cisco-ise-host CISE_AD_Connector 0000083089 2 1 AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json index 76b2e826140..dda9c53ca8d 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json @@ -31,8 +31,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083161" + } } }, "ecs": { @@ -45,6 +44,7 @@ ], "kind": "event", "original": "\u003c180\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083094 1 0 2022-03-03 10:42:25.842 +00:00 0000083161 25012 WARN AD-Connector: Domain join failed, AD-Admin=ise.host.local, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Error-Details=The user account is invalid, AD-Forest=host.local, AD-Hostname=cisco-ise-host@host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/47, AD-Organization-Unit=, AD-Site=Default-First-Site-Name,", + "sequence": 83161, "timezone": "+00:00", "type": [ "info", @@ -63,6 +63,7 @@ } } }, + "message": "2022-03-03 10:42:25.842 +00:00 0000083161 25012 WARN AD-Connector: Domain join failed, AD-Admin=ise.host.local, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Error-Details=The user account is invalid, AD-Forest=host.local, AD-Hostname=cisco-ise-host@host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/47, AD-Organization-Unit=, AD-Site=Default-First-Site-Name,", "related": { "hosts": [ "cisco-ise-host", @@ -102,8 +103,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000041292" + } } }, "ecs": { @@ -116,6 +116,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 10:43:05 isehost CISE_AD_Connector 0000041246 1 0 2022-03-03 10:43:05.020 +00:00 0000041292 25013 INFO AD-Connector: Domain leave succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Hostname=isehost, AD-IP-Address=89.160.20.156, AD-Log-Id=1645707128/8, AD-Site=Default-First-Site-Name,", + "sequence": 41292, "timezone": "+00:00", "type": [ "info" @@ -133,6 +134,7 @@ } } }, + "message": "2022-03-03 10:43:05.020 +00:00 0000041292 25013 INFO AD-Connector: Domain leave succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Hostname=isehost, AD-IP-Address=89.160.20.156, AD-Log-Id=1645707128/8, AD-Site=Default-First-Site-Name,", "related": { "hosts": [ "isehost" @@ -175,8 +177,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000041288" + } } }, "ecs": { @@ -189,6 +190,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 10:43:05 isehost CISE_AD_Connector 0000041242 1 0 2022-03-03 10:43:05.018 +00:00 0000041288 25015 INFO AD-Connector: DNS SRV query succeeded, AD-Domain=host.local, AD-Log-Id=1645707128/4, AD-Srv-Query=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.host.local, AD-Srv-Record=host.local\\, 81.2.69.1431.98, AD-Srv-Record=host.local\\, 89.160.20.156, AD-Srv-Record=host.local\\, 81.2.69.1431.94,", + "sequence": 41288, "timezone": "+00:00", "type": [ "info" @@ -206,6 +208,7 @@ } } }, + "message": "2022-03-03 10:43:05.018 +00:00 0000041288 25015 INFO AD-Connector: DNS SRV query succeeded, AD-Domain=host.local, AD-Log-Id=1645707128/4, AD-Srv-Query=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.host.local, AD-Srv-Record=host.local\\, 81.2.69.1431.98, AD-Srv-Record=host.local\\, 89.160.20.156, AD-Srv-Record=host.local\\, 81.2.69.1431.94,", "related": { "hosts": [ "isehost" @@ -243,8 +246,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083141" + } } }, "ecs": { @@ -257,6 +259,7 @@ ], "kind": "event", "original": "\u003c179\u003eMar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083074 1 0 2022-03-03 10:40:58.891 +00:00 0000083141 25016 ERROR AD-Connector: DNS SRV query failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/37, AD-Srv-Query=_ldap._tcp.dc._msdcs.89.160.20.112,", + "sequence": 83141, "timezone": "+00:00", "type": [ "info" @@ -274,6 +277,7 @@ } } }, + "message": "2022-03-03 10:40:58.891 +00:00 0000083141 25016 ERROR AD-Connector: DNS SRV query failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/37, AD-Srv-Query=_ldap._tcp.dc._msdcs.89.160.20.112,", "related": { "hosts": [ "cisco-ise-host" @@ -308,8 +312,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083158" + } } }, "ecs": { @@ -322,6 +325,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083091 1 0 2022-03-03 10:42:25.835 +00:00 0000083158 25017 INFO AD-Connector: DC discovery succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/44, AD-Site=Default-First-Site-Name,", + "sequence": 83158, "timezone": "+00:00", "type": [ "info" @@ -339,6 +343,7 @@ } } }, + "message": "2022-03-03 10:42:25.835 +00:00 0000083158 25017 INFO AD-Connector: DC discovery succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/44, AD-Site=Default-First-Site-Name,", "related": { "hosts": [ "cisco-ise-host" @@ -376,8 +381,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083142" + } } }, "ecs": { @@ -390,6 +394,7 @@ ], "kind": "event", "original": "\u003c179\u003eMar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083075 1 0 2022-03-03 10:40:58.892 +00:00 0000083142 25018 ERROR AD-Connector: DC discovery failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/38,", + "sequence": 83142, "timezone": "+00:00", "type": [ "info", @@ -408,6 +413,7 @@ } } }, + "message": "2022-03-03 10:40:58.892 +00:00 0000083142 25018 ERROR AD-Connector: DC discovery failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/38,", "related": { "hosts": [ "cisco-ise-host" @@ -441,8 +447,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083160" + } } }, "ecs": { @@ -455,6 +460,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083093 1 0 2022-03-03 10:42:25.837 +00:00 0000083160 25033 INFO AD-Connector: DNS A/AAAA query succeeded, AD-Domain-Controller=host.local., AD-Hostname=host.local., AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/46,", + "sequence": 83160, "timezone": "+00:00", "type": [ "info" @@ -472,6 +478,7 @@ } } }, + "message": "2022-03-03 10:42:25.837 +00:00 0000083160 25033 INFO AD-Connector: DNS A/AAAA query succeeded, AD-Domain-Controller=host.local., AD-Hostname=host.local., AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/46,", "related": { "hosts": [ "cisco-ise-host", @@ -510,8 +517,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083159" + } } }, "ecs": { @@ -524,6 +530,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083092 1 0 2022-03-03 10:42:25.835 +00:00 0000083159 25037 INFO AD-Connector: DC record cached, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/45, AD-Site=Default-First-Site-Name,", + "sequence": 83159, "timezone": "+00:00", "type": [ "info" @@ -541,6 +548,7 @@ } } }, + "message": "2022-03-03 10:42:25.835 +00:00 0000083159 25037 INFO AD-Connector: DC record cached, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/45, AD-Site=Default-First-Site-Name,", "related": { "hosts": [ "cisco-ise-host" @@ -577,8 +585,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083156" + } } }, "ecs": { @@ -591,6 +598,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083089 1 0 2022-03-03 10:42:25.835 +00:00 0000083156 25041 INFO AD-Connector: ISE Server site discovered, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645524126/42, AD-Site=Default-First-Site-Name,", + "sequence": 83156, "timezone": "+00:00", "type": [ "info" @@ -608,6 +616,7 @@ } } }, + "message": "2022-03-03 10:42:25.835 +00:00 0000083156 25041 INFO AD-Connector: ISE Server site discovered, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645524126/42, AD-Site=Default-First-Site-Name,", "related": { "hosts": [ "cisco-ise-host" @@ -639,8 +648,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083143" + } } }, "ecs": { @@ -653,6 +661,7 @@ ], "kind": "event", "original": "\u003c179\u003eMar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083076 1 0 2022-03-03 10:40:58.892 +00:00 0000083143 25046 ERROR AD-Connector: Joined domain is unavailable, AD-Domain=89.160.20.112, AD-Log-Id=1645524126/39,", + "sequence": 83143, "timezone": "+00:00", "type": [ "info" @@ -670,6 +679,7 @@ } } }, + "message": "2022-03-03 10:40:58.892 +00:00 0000083143 25046 ERROR AD-Connector: Joined domain is unavailable, AD-Domain=89.160.20.112, AD-Log-Id=1645524126/39,", "related": { "hosts": [ "cisco-ise-host" @@ -703,8 +713,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000000122" + } } }, "ecs": { @@ -717,6 +726,7 @@ ], "kind": "event", "original": "\u003c179\u003eMar 14 05:59:30 cisco-ise-host CISE_AD_Connector 0000000032 1 0 2022-03-14 05:59:30.442 +00:00 0000000122 25058 ERROR AD-Connector: ISE is not joined to an Active Directory Domain Controller, ConfigVersionId=10, AD-Domain=10.0.14.108,", + "sequence": 122, "timezone": "+00:00", "type": [ "info" @@ -734,6 +744,7 @@ } } }, + "message": "2022-03-14 05:59:30.442 +00:00 0000000122 25058 ERROR AD-Connector: ISE is not joined to an Active Directory Domain Controller, ConfigVersionId=10, AD-Domain=10.0.14.108,", "related": { "hosts": [ "cisco-ise-host" @@ -783,6 +794,58 @@ "priority": 182 } }, + "message": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-03T10:42:25.000+02:00", + "cisco_ise": { + "log": { + "ad": { + "domain": { + "controller": "host.local", + "name": "host.local" + }, + "log_id": "1645676126/42", + "site": "Default-First-Site-Name" + }, + "category": { + "name": "CISE_AD_Connector" + }, + "log_details": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name", + "message": { + "id": "0000083089" + }, + "segment": { + "number": 1, + "total": 2 + } + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "original": "\u003c182\u003eMar 3 10:42:25 +02:00 cisco-ise-host CISE_AD_Connector 0000083089 2 1 AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name,", + "timezone": "+02:00" + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 182 + } + }, + "message": "AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json index c08dea85c06..1013eaa7b0a 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json @@ -26,8 +26,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000081864" + } } }, "client": { @@ -47,6 +46,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 06:43:59 81.2.69.143 CISE_Administrative_and_Operational_Audit 0000081797 1 0 2022-03-03 06:43:59.935 +00:00 0000081864 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=1598, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=Administrator authentication successful,", + "sequence": 81864, "timezone": "+00:00", "type": [ "admin", @@ -65,6 +65,7 @@ } } }, + "message": "2022-03-03 06:43:59.935 +00:00 0000081864 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=1598, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=Administrator authentication successful,", "related": { "ip": [ "81.2.69.143" @@ -103,8 +104,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082342" + } } }, "client": { @@ -124,6 +124,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 08:25:58 81.2.69.143 CISE_Administrative_and_Operational_Audit 0000082275 1 0 2022-03-03 08:25:58.063 +00:00 0000082342 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=1615, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=User logged out,", + "sequence": 82342, "timezone": "+00:00", "type": [ "admin", @@ -142,6 +143,7 @@ } } }, + "message": "2022-03-03 08:25:58.063 +00:00 0000082342 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=1615, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=AdminGUI_Session, AdminName=someadmin, OperationMessageText=User logged out,", "related": { "ip": [ "81.2.69.143" @@ -179,8 +181,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082249" + } } }, "client": { @@ -200,6 +201,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 08:06:28 isehost CISE_Administrative_and_Operational_Audit 0000082182 1 0 2022-03-03 08:06:28.020 +00:00 0000082249 51020 NOTICE Administrator-Login: Administrator authentication failed. Login username does not exist., ConfigVersionId=1610, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=INVALID, OperationMessageText=User not found,", + "sequence": 82249, "timezone": "+00:00", "type": [ "admin", @@ -218,6 +220,7 @@ } } }, + "message": "2022-03-03 08:06:28.020 +00:00 0000082249 51020 NOTICE Administrator-Login: Administrator authentication failed. Login username does not exist., ConfigVersionId=1610, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=INVALID, OperationMessageText=User not found,", "related": { "hosts": [ "isehost" @@ -255,8 +258,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082452" + } } }, "client": { @@ -276,6 +278,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 08:46:56 isehost CISE_Administrative_and_Operational_Audit 0000082385 1 0 2022-03-03 08:46:56.310 +00:00 0000082452 51021 NOTICE Administrator-Login: Administrator authentication failed. Wrong password., ConfigVersionId=1624, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=someadmin,", + "sequence": 82452, "timezone": "+00:00", "type": [ "admin", @@ -294,6 +297,7 @@ } } }, + "message": "2022-03-03 08:46:56.310 +00:00 0000082452 51021 NOTICE Administrator-Login: Administrator authentication failed. Wrong password., ConfigVersionId=1624, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=someadmin,", "related": { "hosts": [ "isehost" @@ -338,8 +342,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000040625" + } } }, "client": { @@ -359,6 +362,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 08:30:08 isehost CISE_Administrative_and_Operational_Audit 0000040579 1 0 2022-03-03 08:30:08.728 +00:00 0000040625 52000 NOTICE Configuration-Changes: Added configuration, ConfigVersionId=786, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Object created:\\,Port = 9005\\,IP Address = 10.0.14.137\\,Facility Code = LOCAL6\\,Length = 1024\\,Description = QA TCP Collector\\,Include Alarms = FALSE\\,status = ENABLED\\,Buffer Message = FALSE\\,Buffer Size = 100\\,Reconnect Timeout = 30\\,, ObjectType=UPSLogTarget, ObjectName=TCP Collector QA,", + "sequence": 40625, "timezone": "+00:00", "type": [ "creation", @@ -377,6 +381,7 @@ } } }, + "message": "2022-03-03 08:30:08.728 +00:00 0000040625 52000 NOTICE Configuration-Changes: Added configuration, ConfigVersionId=786, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Object created:\\,Port = 9005\\,IP Address = 10.0.14.137\\,Facility Code = LOCAL6\\,Length = 1024\\,Description = QA TCP Collector\\,Include Alarms = FALSE\\,status = ENABLED\\,Buffer Message = FALSE\\,Buffer Size = 100\\,Reconnect Timeout = 30\\,, ObjectType=UPSLogTarget, ObjectName=TCP Collector QA,", "related": { "hosts": [ "isehost" @@ -422,8 +427,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082545" + } } }, "client": { @@ -443,6 +447,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 09:05:16 isehost CISE_Administrative_and_Operational_Audit 0000082478 1 0 2022-03-03 09:05:16.475 +00:00 0000082545 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1626, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminSession=ProfilerSession, AdminName=someadmin, ConfigChangeData=NACServer{ipAddress=10.0.14.121,name=someuser,username=someuserusername,password=*******,enable=false,description=}, ObjectType=NACServer, ObjectName=someuser,", + "sequence": 82545, "timezone": "+00:00", "type": [ "deletion", @@ -461,6 +466,7 @@ } } }, + "message": "2022-03-03 09:05:16.475 +00:00 0000082545 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1626, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminSession=ProfilerSession, AdminName=someadmin, ConfigChangeData=NACServer{ipAddress=10.0.14.121,name=someuser,username=someuserusername,password=*******,enable=false,description=}, ObjectType=NACServer, ObjectName=someuser,", "related": { "hosts": [ "isehost" @@ -509,8 +515,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083617" + } } }, "client": { @@ -530,6 +535,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 11:58:35 isehost CISE_Administrative_and_Operational_Audit 0000083550 1 0 2022-03-03 11:58:35.811 +00:00 0000083617 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1698, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=admin, ConfigChangeData=object deleted: Name=test123, ObjectType=Network Access Users, ObjectName=test123, Component=Administration, ObjectInternalID=38bcf4bf-f61a-4028-8b69-ef94eceb2a8d,", + "sequence": 83617, "timezone": "+00:00", "type": [ "deletion", @@ -548,6 +554,7 @@ } } }, + "message": "2022-03-03 11:58:35.811 +00:00 0000083617 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=1698, AdminInterface=GUI, AdminIPAddress=172.16.22.156, AdminName=admin, ConfigChangeData=object deleted: Name=test123, ObjectType=Network Access Users, ObjectName=test123, Component=Administration, ObjectInternalID=38bcf4bf-f61a-4028-8b69-ef94eceb2a8d,", "related": { "hosts": [ "isehost" @@ -596,8 +603,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000080306" + } } }, "ecs": { @@ -610,6 +616,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 01:04:02 isehost CISE_Administrative_and_Operational_Audit 0000080239 1 0 2022-03-03 01:04:02.331 +00:00 0000080306 60067 NOTICE FeedService: Profiler Feed Service - automatic download intitiated, ConfigVersionId=1553, OperationMessageText={FeedServiceQueryFromTime=2022-02-22T00:22:00.653+00:00, FeedServicePort=8443, FeedServiceHost=ise.cisco.com, FeedServiceFeedVersion=1,2,3,4, FeedServiceQueryToTime=, FeedServiceFeed=Profiler},", + "sequence": 80306, "timezone": "+00:00", "type": [ "info", @@ -628,6 +635,7 @@ } } }, + "message": "2022-03-03 01:04:02.331 +00:00 0000080306 60067 NOTICE FeedService: Profiler Feed Service - automatic download intitiated, ConfigVersionId=1553, OperationMessageText={FeedServiceQueryFromTime=2022-02-22T00:22:00.653+00:00, FeedServicePort=8443, FeedServiceHost=ise.cisco.com, FeedServiceFeedVersion=1,2,3,4, FeedServiceQueryToTime=, FeedServiceFeed=Profiler},", "related": { "hosts": [ "isehost" @@ -656,8 +664,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000080307" + } } }, "ecs": { @@ -670,6 +677,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 01:04:06 isehost CISE_Administrative_and_Operational_Audit 0000080240 1 0 2022-03-03 01:04:06.254 +00:00 0000080307 60070 NOTICE FeedService: Profiler Feed Service - No Profiles Downloaded, ConfigVersionId=1553,", + "sequence": 80307, "timezone": "+00:00", "type": [ "info" @@ -687,6 +695,7 @@ } } }, + "message": "2022-03-03 01:04:06.254 +00:00 0000080307 60070 NOTICE FeedService: Profiler Feed Service - No Profiles Downloaded, ConfigVersionId=1553,", "related": { "hosts": [ "isehost" @@ -730,8 +739,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082719" + } } }, "ecs": { @@ -745,6 +753,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 09:24:13 isehost CISE_Administrative_and_Operational_Audit 0000082652 1 0 2022-03-03 09:24:13.263 +00:00 0000082719 60078 NOTICE MyDevices: MyDevices user has successfully authenticated, ConfigVersionId=1628, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35,", + "sequence": 82719, "timezone": "+00:00", "type": [ "info" @@ -763,6 +772,7 @@ } } }, + "message": "2022-03-03 09:24:13.263 +00:00 0000082719 60078 NOTICE MyDevices: MyDevices user has successfully authenticated, ConfigVersionId=1628, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35,", "related": { "hosts": [ "isehost", @@ -801,8 +811,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000080005" + } } }, "client": { @@ -821,6 +830,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 00:00:00 isehost CISE_Administrative_and_Operational_Audit 0000079938 1 0 2022-03-03 00:00:00.478 +00:00 0000080005 60456 NOTICE System-Management: Started CRL/OCSP periodic certificate check, ConfigVersionId=1543, AdminIPAddress=10.0.9.204, AdminName=system,", + "sequence": 80005, "timezone": "+00:00", "type": [ "info", @@ -839,6 +849,7 @@ } } }, + "message": "2022-03-03 00:00:00.478 +00:00 0000080005 60456 NOTICE System-Management: Started CRL/OCSP periodic certificate check, ConfigVersionId=1543, AdminIPAddress=10.0.9.204, AdminName=system,", "related": { "hosts": [ "isehost" @@ -882,8 +893,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000080013" + } } }, "client": { @@ -902,6 +912,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 00:01:01 isehost CISE_Administrative_and_Operational_Audit 0000079946 1 0 2022-03-03 00:01:01.464 +00:00 0000080013 60461 NOTICE System-Management: Account disabled due to user level date expiry, ConfigVersionId=1545, AdminInterface=Internal, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, OperationMessageText=Account employee10 is disabled, AcsInstance=isehost.local,", + "sequence": 80013, "timezone": "+00:00", "type": [ "info" @@ -919,6 +930,7 @@ } } }, + "message": "2022-03-03 00:01:01.464 +00:00 0000080013 60461 NOTICE System-Management: Account disabled due to user level date expiry, ConfigVersionId=1545, AdminInterface=Internal, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, OperationMessageText=Account employee10 is disabled, AcsInstance=isehost.local,", "related": { "hosts": [ "isehost" @@ -962,8 +974,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000040810" + } } }, "client": { @@ -979,6 +990,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 09:06:23 isehost CISE_Administrative_and_Operational_Audit 0000040765 1 0 2022-03-03 09:06:23.123 +00:00 0000040810 61025 NOTICE EAP-TLS: Open secure connection with TLS peer, ConfigVersionId=794, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection created from 10.0.9.204:42863 to 169.254.2.3:5671, AcsInstance=isehost,", + "sequence": 40810, "timezone": "+00:00", "type": [ "connection", @@ -998,6 +1010,7 @@ } } }, + "message": "2022-03-03 09:06:23.123 +00:00 0000040810 61025 NOTICE EAP-TLS: Open secure connection with TLS peer, ConfigVersionId=794, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection created from 10.0.9.204:42863 to 169.254.2.3:5671, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -1038,8 +1051,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082565" + } } }, "client": { @@ -1055,6 +1067,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 09:08:33 isehost CISE_Administrative_and_Operational_Audit 0000082499 1 0 2022-03-03 09:08:33.981 +00:00 0000082565 61026 NOTICE EAP-TLS: Shutdown secure connection with TLS peer, ConfigVersionId=1626, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection closed from 10.0.9.204:53127 to 169.254.2.5:5671, AcsInstance=isehost,", + "sequence": 82565, "timezone": "+00:00", "type": [ "connection", @@ -1074,6 +1087,7 @@ } } }, + "message": "2022-03-03 09:08:33.981 +00:00 0000082565 61026 NOTICE EAP-TLS: Shutdown secure connection with TLS peer, ConfigVersionId=1626, AdminInterface=UNKNOWN, AdminIPAddress=10.0.9.204, , OperationMessageText=Connection closed from 10.0.9.204:53127 to 169.254.2.5:5671, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -1120,8 +1134,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082733" + } } }, "ecs": { @@ -1135,6 +1148,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 09:25:05 isehost CISE_Administrative_and_Operational_Audit 0000082666 1 0 2022-03-03 09:25:05.100 +00:00 0000082733 61077 NOTICE MyDevices: MyDevices has been successfully logged out, ConfigVersionId=1630, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35,", + "sequence": 82733, "timezone": "+00:00", "type": [ "info" @@ -1153,6 +1167,7 @@ } } }, + "message": "2022-03-03 09:25:05.100 +00:00 0000082733 61077 NOTICE MyDevices: MyDevices has been successfully logged out, ConfigVersionId=1630, UserName=someuser, IpAddress=81.2.69.143, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=isehost.local, ResponseTime=35,", "related": { "hosts": [ "isehost", @@ -1216,8 +1231,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082373" + } } }, "client": { @@ -1237,6 +1251,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 08:31:21 isehost CISE_Administrative_and_Operational_Audit 0000082306 1 0 2022-03-03 08:31:21.075 +00:00 0000082373 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=1621, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=someadmin, ConfigChangeData=Object modified:\\, Log Severity Level = DEBUG\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe}, ObjectType=UPSCategory, ObjectName=AAA Diagnostics, OperationMessageText=LoggingCategories \"Passed Authentications\" has been edited successfully.,", + "sequence": 82373, "timezone": "+00:00", "type": [ "change", @@ -1255,6 +1270,7 @@ } } }, + "message": "2022-03-03 08:31:21.075 +00:00 0000082373 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=1621, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=someadmin, ConfigChangeData=Object modified:\\, Log Severity Level = DEBUG\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe}, ObjectType=UPSCategory, ObjectName=AAA Diagnostics, OperationMessageText=LoggingCategories \"Passed Authentications\" has been edited successfully.,", "related": { "hosts": [ "isehost" @@ -1304,8 +1320,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000130069" + } } }, "ecs": { @@ -1319,6 +1334,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 10 11:04:19 isehost CISE_Administrative_and_Operational_Audit 0000130002 1 0 2022-03-10 11:04:19.271 +00:00 0000130069 60077 NOTICE MyDevices: MyDevices user authentication has failed, ConfigVersionId=3117, FailureReason=22040 Wrong password or invalid shared secret, UserName=test1123, IpAddress=172.16.17.255, AuthenticationIdentityStore=Internal Users, PortalName=test-mydevices, PsnHostName=isehost.local, ResponseTime=90, ", + "sequence": 130069, "timezone": "+00:00", "type": [ "info" @@ -1337,6 +1353,7 @@ } } }, + "message": "2022-03-10 11:04:19.271 +00:00 0000130069 60077 NOTICE MyDevices: MyDevices user authentication has failed, ConfigVersionId=3117, FailureReason=22040 Wrong password or invalid shared secret, UserName=test1123, IpAddress=172.16.17.255, AuthenticationIdentityStore=Internal Users, PortalName=test-mydevices, PsnHostName=isehost.local, ResponseTime=90,", "related": { "hosts": [ "isehost", @@ -1390,8 +1407,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000093246" + } } }, "client": { @@ -1411,6 +1427,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 11 07:20:28 isehost CISE_Administrative_and_Operational_Audit 0000093200 1 0 2022-03-11 07:20:28.019 +00:00 0000093246 58005 NOTICE Process-Management: ISE process was restarted by watchdog service, ConfigVersionId=1703, FailureFlag=true, RequestResponseType=final, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=Process: 'ISE Stunnel Service' started by ISE watchdog process, AcsInstance=isehost, ", + "sequence": 93246, "timezone": "+00:00", "type": [ "info" @@ -1428,6 +1445,7 @@ } } }, + "message": "2022-03-11 07:20:28.019 +00:00 0000093246 58005 NOTICE Process-Management: ISE process was restarted by watchdog service, ConfigVersionId=1703, FailureFlag=true, RequestResponseType=final, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=Process: 'ISE Stunnel Service' started by ISE watchdog process, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -1471,8 +1489,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000128381" + } } }, "client": { @@ -1491,6 +1508,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 10 05:25:13 isehost CISE_Administrative_and_Operational_Audit 0000128314 1 0 2022-03-10 05:25:13.944 +00:00 0000128381 60094 NOTICE System-Management: ISE Backup has completed successfully, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Operational backup test_bkp_op-OPS10-220310-0524.tar.gpg to repository test-new success, AcsInstance=isehost, ", + "sequence": 128381, "timezone": "+00:00", "type": [ "info" @@ -1508,6 +1526,7 @@ } } }, + "message": "2022-03-10 05:25:13.944 +00:00 0000128381 60094 NOTICE System-Management: ISE Backup has completed successfully, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Operational backup test_bkp_op-OPS10-220310-0524.tar.gpg to repository test-new success, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -1551,8 +1570,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000128378" + } } }, "client": { @@ -1571,6 +1589,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 10 05:24:16 isehost CISE_Administrative_and_Operational_Audit 0000128311 1 0 2022-03-10 05:24:16.414 +00:00 0000128378 60093 NOTICE System-Management: ISE Backup has started, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Initiating opsbackup backup test_bkp_op-OPS10-220310-0524 to repository test-new, AcsInstance=isehost, ", + "sequence": 128378, "timezone": "+00:00", "type": [ "info" @@ -1588,6 +1607,7 @@ } } }, + "message": "2022-03-10 05:24:16.414 +00:00 0000128378 60093 NOTICE System-Management: ISE Backup has started, ConfigVersionId=3068, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=Initiating opsbackup backup test_bkp_op-OPS10-220310-0524 to repository test-new, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -1631,8 +1651,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083218" + } } }, "client": { @@ -1652,6 +1671,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 9 19:00:42 isehost CISE_Administrative_and_Operational_Audit 0000083172 1 0 2022-03-09 19:00:42.763 +00:00 0000083218 60134 NOTICE System-Management: DNS Resolution failure, ConfigVersionId=1537, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=DNS resolution failed for the hostname isehost.local against the currently configured name servers., AcsInstance=isehost, ", + "sequence": 83218, "timezone": "+00:00", "type": [ "info" @@ -1669,6 +1689,7 @@ } } }, + "message": "2022-03-09 19:00:42.763 +00:00 0000083218 60134 NOTICE System-Management: DNS Resolution failure, ConfigVersionId=1537, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=system, OperationMessageText=DNS resolution failed for the hostname isehost.local against the currently configured name servers., AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -1712,8 +1733,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000117031" + } } }, "ecs": { @@ -1727,6 +1747,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 8 12:26:58 isehost CISE_Administrative_and_Operational_Audit 0000116964 1 0 2022-03-08 12:26:58.391 +00:00 0000117031 60188 NOTICE Administrator-Login: An attempted SSH connection has failed, ConfigVersionId=2726, AdminInterface=CLI, OperationMessageText=Received disconnect from 81.2.69.143 port 36953:11: disconnected by user, AcsInstance=isehost, ", + "sequence": 117031, "timezone": "+00:00", "type": [ "info" @@ -1744,6 +1765,7 @@ } } }, + "message": "2022-03-08 12:26:58.391 +00:00 0000117031 60188 NOTICE Administrator-Login: An attempted SSH connection has failed, ConfigVersionId=2726, AdminInterface=CLI, OperationMessageText=Received disconnect from 81.2.69.143 port 36953:11: disconnected by user, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -1781,8 +1803,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000117030" + } } }, "client": { @@ -1802,6 +1823,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 8 12:26:58 isehost CISE_Administrative_and_Operational_Audit 0000116963 1 0 2022-03-08 12:26:58.390 +00:00 0000117030 60116 NOTICE Administrator-Login: A CLI user has logged out from SSH, ConfigVersionId=2726, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged out from CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost, ", + "sequence": 117030, "timezone": "+00:00", "type": [ "user", @@ -1820,6 +1842,7 @@ } } }, + "message": "2022-03-08 12:26:58.390 +00:00 0000117030 60116 NOTICE Administrator-Login: A CLI user has logged out from SSH, ConfigVersionId=2726, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged out from CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -1863,8 +1886,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000116968" + } } }, "ecs": { @@ -1878,6 +1900,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 8 12:15:32 isehost CISE_Administrative_and_Operational_Audit 0000116901 1 0 2022-03-08 12:15:32.654 +00:00 0000116968 60080 NOTICE Administrator-Login: A SSH CLI user has successfully logged in, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Accepted password for admin from 81.2.69.143 port 36953 ssh2, AcsInstance=isehost, ", + "sequence": 116968, "timezone": "+00:00", "type": [ "user", @@ -1896,6 +1919,7 @@ } } }, + "message": "2022-03-08 12:15:32.654 +00:00 0000116968 60080 NOTICE Administrator-Login: A SSH CLI user has successfully logged in, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Accepted password for admin from 81.2.69.143 port 36953 ssh2, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -1933,8 +1957,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000116969" + } } }, "client": { @@ -1954,6 +1977,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 8 12:15:32 isehost CISE_Administrative_and_Operational_Audit 0000116902 1 0 2022-03-08 12:15:32.654 +00:00 0000116969 60115 NOTICE Administrator-Login: A CLI user has logged in from SSH, ConfigVersionId=2718, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged in to CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost, ", + "sequence": 116969, "timezone": "+00:00", "type": [ "user", @@ -1972,6 +1996,7 @@ } } }, + "message": "2022-03-08 12:15:32.654 +00:00 0000116969 60115 NOTICE Administrator-Login: A CLI user has logged in from SSH, ConfigVersionId=2718, AdminInterface=CLI, AdminIPAddress=81.2.69.143, AdminName=admin, OperationMessageText=User 'admin' logged in to CLI SSH session from SSH client IP: 81.2.69.143, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -2015,8 +2040,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000116963" + } } }, "ecs": { @@ -2030,6 +2054,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 8 12:14:39 isehost CISE_Administrative_and_Operational_Audit 0000116896 1 0 2022-03-08 12:14:39.376 +00:00 0000116963 60081 NOTICE Administrator-Login: A SSH CLI user has attempted unsuccessfully to login, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Failed password for root from 81.2.69.143 port 36661 ssh2, AcsInstance=isehost, ", + "sequence": 116963, "timezone": "+00:00", "type": [ "user", @@ -2048,6 +2073,7 @@ } } }, + "message": "2022-03-08 12:14:39.376 +00:00 0000116963 60081 NOTICE Administrator-Login: A SSH CLI user has attempted unsuccessfully to login, ConfigVersionId=2718, AdminInterface=CLI, OperationMessageText=Failed password for root from 81.2.69.143 port 36661 ssh2, AcsInstance=isehost,", "related": { "hosts": [ "isehost" @@ -2101,6 +2127,7 @@ "priority": 181 } }, + "message": "AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=User logged out,", "related": { "hosts": [ "isehost" @@ -2160,6 +2187,7 @@ "priority": 181 } }, + "message": "AdminIPAddress=10.0.1.1, AdminSession=AdminGUI_Session, AdminName=admin, OperationMessageText=Administrator authentication successful,", "related": { "hosts": [ "isehost" @@ -2211,8 +2239,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000139953" + } } }, "client": { @@ -2232,6 +2259,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 11 22:52:25 isehost CISE_Administrative_and_Operational_Audit 0000049530 1 0 2022-03-11 22:52:25.650 +00:00 0000139953 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=3426, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ObjectType=Machine Authentication Settings, ObjectName=Machine Authentication Settings, Component=Administration, ObjectInternalID=unknown, ", + "sequence": 139953, "timezone": "+00:00", "type": [ "change", @@ -2250,6 +2278,7 @@ } } }, + "message": "2022-03-11 22:52:25.650 +00:00 0000139953 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=3426, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ObjectType=Machine Authentication Settings, ObjectName=Machine Authentication Settings, Component=Administration, ObjectInternalID=unknown,", "related": { "hosts": [ "isehost" @@ -2318,8 +2347,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000000245" + } } }, "client": { @@ -2339,6 +2367,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 14 07:12:06 isehost CISE_Administrative_and_Operational_Audit 0000000155 1 0 2022-03-14 07:12:06.324 +00:00 0000000245 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=97, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=Object modified:\\, Log Severity Level = INFO\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe,TCP Collector KS1,TCP Collector QA,test_sec_log,Test_TCP,test_tcp,test_tcp2,test_udp,UDP Collector KS1,UDP Collector QA}, ObjectType=UPSCategory, ObjectName=System Statistics, OperationMessageText=LoggingCategories \"Administrative and Operational Audit\" has been edited successfully., ", + "sequence": 245, "timezone": "+00:00", "type": [ "change", @@ -2357,6 +2386,7 @@ } } }, + "message": "2022-03-14 07:12:06.324 +00:00 0000000245 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=97, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=Object modified:\\, Log Severity Level = INFO\\,Local Logging = enable\\,Assigned Targets = {LogCollector,LogCollector2,ProfilerRadiusProbe,TCP Collector KS1,TCP Collector QA,test_sec_log,Test_TCP,test_tcp,test_tcp2,test_udp,UDP Collector KS1,UDP Collector QA}, ObjectType=UPSCategory, ObjectName=System Statistics, OperationMessageText=LoggingCategories \"Administrative and Operational Audit\" has been edited successfully.,", "related": { "hosts": [ "isehost" @@ -2411,8 +2441,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000000402" + } } }, "client": { @@ -2432,6 +2461,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 14 09:43:33 isehost CISE_Administrative_and_Operational_Audit 0000000312 1 0 2022-03-14 09:43:33.233 +00:00 0000000402 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=55, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=object updated: Name=testad1, ObjectType=Active Directory Instance, ObjectName=testad1, Component=UNKNOWN, ObjectInternalID=unknown,", + "sequence": 402, "timezone": "+00:00", "type": [ "change", @@ -2450,6 +2480,7 @@ } } }, + "message": "2022-03-14 09:43:33.233 +00:00 0000000402 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=55, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=object updated: Name=testad1, ObjectType=Active Directory Instance, ObjectName=testad1, Component=UNKNOWN, ObjectInternalID=unknown,", "related": { "hosts": [ "isehost" @@ -2500,8 +2531,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000003033" + } } }, "client": { @@ -2521,6 +2551,7 @@ ], "kind": "event", "original": "\u003c149\u003eMar 20 12:13:30 isehost CISE_Administrative_and_Operational_Audit 0000002725 1 0 2022-03-20 12:13:30.185 +00:00 0000003033 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=546, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Local Storage Period = 1 days, ObjectType=UPSLogSettings, ObjectName=LocalStore,", + "sequence": 3033, "timezone": "+00:00", "type": [ "change", @@ -2539,6 +2570,7 @@ } } }, + "message": "2022-03-20 12:13:30.185 +00:00 0000003033 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=546, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Local Storage Period = 1 days, ObjectType=UPSLogSettings, ObjectName=LocalStore,", "related": { "hosts": [ "isehost" @@ -2584,8 +2616,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000001104" + } } }, "client": { @@ -2605,6 +2636,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 29 05:53:36 isehost CISE_Administrative_and_Operational_Audit 0000000931 1 0 2022-03-29 05:53:36.769 +00:00 0000001104 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=258, AdminInterface=GUI, AdminIPAddress=81.2.69.144, AdminName=admin, ObjectType=Active Directory Instance, ObjectName=test123test123test123test123test, Component=Network Access, ObjectInternalID=unknown,", + "sequence": 1104, "timezone": "+00:00", "type": [ "deletion", @@ -2623,6 +2655,7 @@ } } }, + "message": "2022-03-29 05:53:36.769 +00:00 0000001104 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=258, AdminInterface=GUI, AdminIPAddress=81.2.69.144, AdminName=admin, ObjectType=Active Directory Instance, ObjectName=test123test123test123test123test, Component=Network Access, ObjectInternalID=unknown,", "related": { "hosts": [ "isehost" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json index aa76514e24c..2cf9879d7be 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json @@ -47,7 +47,6 @@ "identity_stores": "All_AD_Join_Points" } }, - "sequence_number": "0000082695", "workflow": { "current_id": { "store_index": 2 @@ -73,6 +72,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082628 1 0 2022-03-03 09:22:59.360 +00:00 0000082695 22016 DEBUG Workflow: Identity sequence completed iterating the IDStores, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationIdentityStore=All_AD_Join_Points, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82695, "timezone": "+00:00", "type": [ "info" @@ -90,6 +90,7 @@ } } }, + "message": "2022-03-03 09:22:59.360 +00:00 0000082695 22016 DEBUG Workflow: Identity sequence completed iterating the IDStores, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationIdentityStore=All_AD_Join_Points, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", "related": { "hosts": [ "isehost" @@ -154,7 +155,6 @@ "identity_stores": "Internal Users" } }, - "sequence_number": "0000082718", "workflow": { "current_id": { "store_index": 0 @@ -181,6 +181,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:24:13 isehost CISE_Authentication_Flow_Diagnostics 0000082651 1 0 2022-03-03 09:24:13.238 +00:00 0000082718 22037 DEBUG Workflow: Authentication Passed, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth20, Response={AuthenticationResult=Passed; },", + "sequence": 82718, "timezone": "+00:00", "type": [ "info" @@ -198,6 +199,7 @@ } } }, + "message": "2022-03-03 09:24:13.238 +00:00 0000082718 22037 DEBUG Workflow: Authentication Passed, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth20, Response={AuthenticationResult=Passed; },", "related": { "hosts": [ "isehost" @@ -259,7 +261,6 @@ "service": "AuthenticateUserAPI" } }, - "sequence_number": "0000082672", "workflow": { "current_id": { "store_index": 0 @@ -286,6 +287,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 09:22:51 isehost CISE_Authentication_Flow_Diagnostics 0000082605 1 0 2022-03-03 09:22:51.639 +00:00 0000082672 22040 INFO Authentication: Wrong password or invalid shared secret, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; },", + "sequence": 82672, "timezone": "+00:00", "type": [ "info" @@ -303,6 +305,7 @@ } } }, + "message": "2022-03-03 09:22:51.639 +00:00 0000082672 22040 INFO Authentication: Wrong password or invalid shared secret, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; },", "related": { "hosts": [ "isehost" @@ -364,7 +367,6 @@ "service": "AuthenticateUserAPI" } }, - "sequence_number": "0000082696", "workflow": { "current_id": { "store_index": 2 @@ -390,6 +392,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082629 1 0 2022-03-03 09:22:59.360 +00:00 0000082696 22056 DEBUG Workflow: Subject not found in the applicable identity store(s), ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82696, "timezone": "+00:00", "type": [ "info" @@ -407,6 +410,7 @@ } } }, + "message": "2022-03-03 09:22:59.360 +00:00 0000082696 22056 DEBUG Workflow: Subject not found in the applicable identity store(s), ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", "related": { "hosts": [ "isehost" @@ -471,7 +475,6 @@ "identity_stores": "Internal Users" } }, - "sequence_number": "0000082673", "workflow": { "current_id": { "store_index": 0 @@ -498,6 +501,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 09:22:51 isehost CISE_Authentication_Flow_Diagnostics 0000082606 1 0 2022-03-03 09:22:51.639 +00:00 0000082673 22057 INFO Workflow: The advanced option that is configured for a failed authentication request is used, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; },", + "sequence": 82673, "timezone": "+00:00", "type": [ "info" @@ -515,6 +519,7 @@ } } }, + "message": "2022-03-03 09:22:51.639 +00:00 0000082673 22057 INFO Workflow: The advanced option that is configured for a failed authentication request is used, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/110, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Users, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth18, Response={AuthenticationResult=Failed; },", "related": { "hosts": [ "isehost" @@ -576,7 +581,6 @@ "service": "AuthenticateUserAPI" } }, - "sequence_number": "0000082697", "workflow": { "current_id": { "store_index": 2 @@ -602,6 +606,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082630 1 0 2022-03-03 09:22:59.361 +00:00 0000082697 22058 INFO Workflow: The advanced option that is configured for an unknown user is used, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82697, "timezone": "+00:00", "type": [ "info" @@ -619,6 +624,7 @@ } } }, + "message": "2022-03-03 09:22:59.361 +00:00 0000082697 22058 INFO Workflow: The advanced option that is configured for an unknown user is used, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; },", "related": { "hosts": [ "isehost" @@ -688,7 +694,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000083482", "workflow": { "current_id": { "store_index": 0 @@ -718,6 +723,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 11:37:34 isehost CISE_Authentication_Flow_Diagnostics 0000083415 1 0 2022-03-03 11:37:34.928 +00:00 0000083482 22060 INFO Workflow: The 'Continue' advanced option is configured in case of a failed authentication request, ConfigVersionId=1696, DestinationIPAddress=10.0.9.204, UserName=92-09-00-00-00-01, NAS-IP-Address=10.0.14.108, Calling-Station-ID=92:09:00:00:00:01, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Endpoints, WorkflowIfUserNotFound=Continue, WorkflowIfProcessError=Drop, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; AuthenticationAction=Continue; },", + "sequence": 83482, "timezone": "+00:00", "type": [ "info" @@ -735,6 +741,7 @@ } } }, + "message": "2022-03-03 11:37:34.928 +00:00 0000083482 22060 INFO Workflow: The 'Continue' advanced option is configured in case of a failed authentication request, ConfigVersionId=1696, DestinationIPAddress=10.0.9.204, UserName=92-09-00-00-00-01, NAS-IP-Address=10.0.14.108, Calling-Station-ID=92:09:00:00:00:01, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, WorkflowCurrentIDStoreIndex=0, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=Internal Endpoints, WorkflowIfUserNotFound=Continue, WorkflowIfProcessError=Drop, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; AuthenticationAction=Continue; },", "related": { "hosts": [ "isehost" @@ -801,7 +808,6 @@ "service": "AuthenticateUserAPI" } }, - "sequence_number": "0000082698", "workflow": { "current_id": { "store_index": 2 @@ -828,6 +834,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 09:22:59 isehost CISE_Authentication_Flow_Diagnostics 0000082631 1 0 2022-03-03 09:22:59.361 +00:00 0000082698 22061 INFO Workflow: The 'Reject' advanced option is configured in case of a failed authentication request, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; AuthenticationAction=Reject; },", + "sequence": 82698, "timezone": "+00:00", "type": [ "info" @@ -845,6 +852,7 @@ } } }, + "message": "2022-03-03 09:22:59.361 +00:00 0000082698 22061 INFO Workflow: The 'Reject' advanced option is configured in case of a failed authentication request, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/112, AuthenticationMethod=PAP_ASCII, WorkflowCurrentIDStoreIndex=2, WorkflowSequenceType=AuthenticationSequence, CurrentIDStoreName=All_AD_Join_Points, WorkflowIfUserNotFound=Reject, WorkflowIfProcessError=Reject, WorkflowIfAuthenticationFailed=Reject, CPMSessionID=isehost:userauth19, Response={AuthenticationResult=UnknownUser; AuthenticationAction=Reject; },", "related": { "hosts": [ "isehost" @@ -900,7 +908,6 @@ "service": "AuthenticateUserAPI" } }, - "sequence_number": "0000082714", "workflow": { "sequence": { "type": "AuthenticationSequence" @@ -918,6 +925,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 09:24:13 isehost CISE_Authentication_Flow_Diagnostics 0000082647 1 0 2022-03-03 09:24:13.235 +00:00 0000082714 22072 INFO Authentication: Selected identity source sequence, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence, CPMSessionID=isehost:userauth20,", + "sequence": 82714, "timezone": "+00:00", "type": [ "info" @@ -935,6 +943,7 @@ } } }, + "message": "2022-03-03 09:24:13.235 +00:00 0000082714 22072 INFO Authentication: Selected identity source sequence, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=isehost/435083133/115, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence, CPMSessionID=isehost:userauth20,", "related": { "hosts": [ "isehost" @@ -1005,6 +1014,7 @@ "priority": 182 } }, + "message": "SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, WorkflowSequenceType=AuthenticationSequence,", "related": { "hosts": [ "isehost" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json index 17474a792ca..34cf58927a0 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json @@ -61,7 +61,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000075201", "service": { "type": "Framed" }, @@ -94,6 +93,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 2 09:09:13 cisco-ise-host CISE_Failed_Attempts 0000075134 1 0 2022-03-02 09:09:13.790 +00:00 0000075201 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=1364, Device IP Address=81.2.69.193, Device Port=42946, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/47, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=11036, Step=5405, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "sequence": 75201, "timezone": "+00:00", "type": [ "info", @@ -112,6 +112,7 @@ } } }, + "message": "2022-03-02 09:09:13.790 +00:00 0000075201 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=1364, Device IP Address=81.2.69.193, Device Port=42946, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/47, FailureReason=11036 The Message-Authenticator RADIUS attribute is invalid, Step=11001, Step=11017, Step=11036, Step=5405, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", "network": { "protocol": "radius" }, @@ -230,7 +231,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000075943", "step": [ "11001", "11017", @@ -278,6 +278,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 2 10:36:16 cisco-ise-host CISE_Failed_Attempts 0000075876 1 0 2022-03-02 10:36:16.136 +00:00 0000075943 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=1381, RadiusPacketType=Drop, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testnac1, AcsSessionID=cisco-ise-host/435083133/80, SelectedAccessService=Default Network Access, RequestLatency=13, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5411, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testnac1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccO4H8LguCt/kv_SLnrKRbOFQs9/f7Zi_nxHt1lhFP1qc, EndPointMACAddress=00-00-00-00-00-01, ISEPolicySetName=Default, StepLatency=25=120001, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "sequence": 75943, "timezone": "+00:00", "type": [ "info", @@ -296,6 +297,7 @@ } } }, + "message": "2022-03-02 10:36:16.136 +00:00 0000075943 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=1381, RadiusPacketType=Drop, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testnac1, AcsSessionID=cisco-ise-host/435083133/80, SelectedAccessService=Default Network Access, RequestLatency=13, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5411, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testnac1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccO4H8LguCt/kv_SLnrKRbOFQs9/f7Zi_nxHt1lhFP1qc, EndPointMACAddress=00-00-00-00-00-01, ISEPolicySetName=Default, StepLatency=25=120001, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", "related": { "hosts": [ "cisco-ise-host" @@ -346,7 +348,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000076224", "step": "5418", "user": { "type": "NON_GUEST" @@ -363,6 +364,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 2 11:10:16 cisco-ise-host CISE_Failed_Attempts 0000076158 1 0 2022-03-02 11:10:16.634 +00:00 0000076224 5418 NOTICE Guest: Guest Authentication Failed, ConfigVersionId=1397, FailureReason=22056 Subject not found in the applicable identity store(s), UserType=NON_GUEST, UserName=INVALID, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=18, Step=5418,", + "sequence": 76224, "timezone": "+00:00", "type": [ "info", @@ -381,6 +383,7 @@ } } }, + "message": "2022-03-02 11:10:16.634 +00:00 0000076224 5418 NOTICE Guest: Guest Authentication Failed, ConfigVersionId=1397, FailureReason=22056 Subject not found in the applicable identity store(s), UserType=NON_GUEST, UserName=INVALID, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=18, Step=5418,", "related": { "hosts": [ "cisco-ise-host" @@ -465,7 +468,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000075590", "service": { "type": "Framed" }, @@ -502,6 +504,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 2 09:56:00 cisco-ise-host CISE_Failed_Attempts 0000075523 1 0 2022-03-02 09:56:00.597 +00:00 0000075590 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=1373, Device IP Address=81.2.69.193, Device Port=47053, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/64, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5435, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, TotalFailedAttempts=11, TotalFailedTime=2806, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", + "sequence": 75590, "timezone": "+00:00", "type": [ "info", @@ -520,6 +523,7 @@ } } }, + "message": "2022-03-02 09:56:00.597 +00:00 0000075590 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=1373, Device IP Address=81.2.69.193, Device Port=47053, DestinationIPAddress=81.2.69.145, DestinationPort=1812, Protocol=Radius, NetworkDeviceName=testDevice, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, AcsSessionID=cisco-ise-host/435083133/64, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5435, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, TotalFailedAttempts=11, TotalFailedTime=2806, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No,", "network": { "protocol": "radius" }, @@ -638,7 +642,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000075131", "step": [ "11001", "11017", @@ -687,6 +690,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 2 09:04:59 cisco-ise-host CISE_Failed_Attempts 0000000581 1 0 2022-03-02 09:04:59.136 +00:00 0000075131 5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new, ConfigVersionId=1364, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testDevice1, AcsSessionID=cisco-ise-host/435083133/41, SelectedAccessService=Default Network Access, RequestLatency=16, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5440, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o, EndPointMACAddress=00-23-DF-00-00-01, ISEPolicySetName=Default, StepLatency=25=9051, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; },", + "sequence": 75131, "timezone": "+00:00", "type": [ "info", @@ -705,6 +709,7 @@ } } }, + "message": "2022-03-02 09:04:59.136 +00:00 0000075131 5440 NOTICE RADIUS: Endpoint abandoned EAP session and started new, ConfigVersionId=1364, Device IP Address=81.2.69.193, DestinationIPAddress=81.2.69.145, UserName=testDevice1, AcsSessionID=cisco-ise-host/435083133/41, SelectedAccessService=Default Network Access, RequestLatency=16, FailureReason=12309 PEAP handshake failed, Step=11001, Step=11017, Step=11117, Step=15049, Step=15008, Step=11507, Step=12500, Step=11006, Step=11001, Step=11018, Step=12301, Step=12300, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12814, Step=12817, Step=12309, Step=12307, Step=12305, Step=11006, Step=5440, NetworkDeviceName=testDevice, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\", OpenSSLErrorStack= 140449742526208:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, User-Name=testDevice1, NAS-IP-Address=81.2.69.193, NAS-Port=1, Calling-Station-ID=00-23-DF-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=G0/25, CPMSessionID=0a0009ccoostm1inlLcfqsSLF7kj1Hc9FdzP6sk8dQsKOpPav_o, EndPointMACAddress=00-23-DF-00-00-01, ISEPolicySetName=Default, StepLatency=25=9051, TLSCipher=, TLSVersion=, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=Drop; },", "related": { "hosts": [ "cisco-ise-host" @@ -845,7 +850,6 @@ "identity_stores": "SCRAVEN" } }, - "sequence_number": "0000003928", "service": { "type": "Framed" }, @@ -1113,6 +1117,7 @@ ], "kind": "event", "original": "\u003c182\u003eApr 27 11:11:09 gg.hhh.iii.com CISE_Failed_Attempts 0000000169 1 0 2020-04-27 11:11:09.260369 +00:00 0000003928 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=93, Device IP Address=81.2.69.193, Device Port=16345, DestinationIPAddress=81.2.69.193, DestinationPort=1645, RadiusPacketType=AccessRequest, Protocol=Radius, RequestLatency=1, NetworkDeviceName=sw, User-Name=fernandGiancarl, NAS-IP-Address=81.2.69.193, NAS-Port=50115, Service-Type=Framed, Framed-IP-Address=81.2.69.193, Framed-MTU=1500, State=37CPMSessionID=0a222bc0000000d123e111f7\\;28SessionID=abc12/178657019/44\\;, Called-Station-ID=50-3D-E5-C4-05-8F, Calling-Station-ID=F0-DE-F1-94-65-9C, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/15, EAP-Key-Name=, acme-av-pair=service-type=Framed, acme-av-pair=audit-session-id=0a222bc0000000d123e111f7, UserName=fernandGiancarl, AcsSessionID=abc12/178657019/44, AuthenticationIdentityStore=, AuthenticationIdentityStore=AD1, AuthenticationMethod=x509_PKI, SelectedAccessService=EapChainining, UseCase=Eap Chaining, FailureReason=24492 Machine authentication against Active Directory has failed, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15004, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12149, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24432, Step=24412, Step=22056, Step=22058, Step=22061, Step=12529, Step=11520, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12219, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24433, Step=24492, Step=22059, Step=22062, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12109, Step=11504, Step=11003, SelectedAuthenticationIdentityStores=SCRAVEN, NetworkDeviceGroups=Location#All Locations#Wired_Lab, NetworkDeviceGroups=Device Type#All Device Types, ADDomain=lab4.com, EapTunnel=EAP-FAST, EapAuthentication=EAP-TLS, CPMSessionID=0a222bc0000000d123e111f7, EndPointMACAddress=XX:XX:45:XX:XX:XX, EapChainingResult=User and machine both failed, GroupsOrAttributesProcessFailure=true, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Dot1X, IdentitySelectionMatchedRule=Default, Location=Location#All Locations#Wired_Lab, Device Type=Device Type#All Device Types, Response={RadiusPacketType=AccessReject; }", + "sequence": 3928, "timezone": "+00:00", "type": [ "info" @@ -1130,6 +1135,7 @@ } } }, + "message": "2020-04-27 11:11:09.260369 +00:00 0000003928 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=93, Device IP Address=81.2.69.193, Device Port=16345, DestinationIPAddress=81.2.69.193, DestinationPort=1645, RadiusPacketType=AccessRequest, Protocol=Radius, RequestLatency=1, NetworkDeviceName=sw, User-Name=fernandGiancarl, NAS-IP-Address=81.2.69.193, NAS-Port=50115, Service-Type=Framed, Framed-IP-Address=81.2.69.193, Framed-MTU=1500, State=37CPMSessionID=0a222bc0000000d123e111f7\\;28SessionID=abc12/178657019/44\\;, Called-Station-ID=50-3D-E5-C4-05-8F, Calling-Station-ID=F0-DE-F1-94-65-9C, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/15, EAP-Key-Name=, acme-av-pair=service-type=Framed, acme-av-pair=audit-session-id=0a222bc0000000d123e111f7, UserName=fernandGiancarl, AcsSessionID=abc12/178657019/44, AuthenticationIdentityStore=, AuthenticationIdentityStore=AD1, AuthenticationMethod=x509_PKI, SelectedAccessService=EapChainining, UseCase=Eap Chaining, FailureReason=24492 Machine authentication against Active Directory has failed, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15004, Step=11507, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12149, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24432, Step=24412, Step=22056, Step=22058, Step=22061, Step=12529, Step=11520, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12219, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12212, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12523, Step=12522, Step=12625, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12524, Step=12800, Step=12805, Step=12806, Step=12807, Step=12809, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=12571, Step=12571, Step=12811, Step=12812, Step=12813, Step=12804, Step=12801, Step=12802, Step=12816, Step=12509, Step=12527, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12526, Step=15041, Step=15006, Step=24433, Step=24492, Step=22059, Step=22062, Step=12117, Step=22028, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12109, Step=11504, Step=11003, SelectedAuthenticationIdentityStores=SCRAVEN, NetworkDeviceGroups=Location#All Locations#Wired_Lab, NetworkDeviceGroups=Device Type#All Device Types, ADDomain=lab4.com, EapTunnel=EAP-FAST, EapAuthentication=EAP-TLS, CPMSessionID=0a222bc0000000d123e111f7, EndPointMACAddress=XX:XX:45:XX:XX:XX, EapChainingResult=User and machine both failed, GroupsOrAttributesProcessFailure=true, ISEPolicySetName=Default, AllowedProtocolMatchedRule=Dot1X, IdentitySelectionMatchedRule=Default, Location=Location#All Locations#Wired_Lab, Device Type=Device Type#All Device Types, Response={RadiusPacketType=AccessReject; }", "network": { "protocol": "radius" }, @@ -1201,6 +1207,7 @@ "priority": 181 } }, + "message": "ConfigVersionId=1567, FailureReason=20977 Subject not found in the applicable identity store(s), UserType=NON_TEST, UserName=TEST_USER, IpAddress=89.160.20.112, PortalName=test-portal, ResponseTime=19, Step=5418,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json index 894b6967883..18bfbba6cef 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json @@ -39,7 +39,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000083382", "user": { "type": "NON_GUEST" } @@ -55,6 +54,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 11:20:37 cisco-ise-host CISE_Guest 0000083315 1 0 2022-03-03 11:20:37.938 +00:00 0000083382 86005 INFO Guest: Guest user has accepted the Use Policy, ConfigVersionId=1694, UserType=NON_GUEST, UserName=test123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, GuestUserName=test123, ResponseTime=31,", + "sequence": 83382, "timezone": "+00:00", "type": [ "info" @@ -72,6 +72,7 @@ } } }, + "message": "2022-03-03 11:20:37.938 +00:00 0000083382 86005 INFO Guest: Guest user has accepted the Use Policy, ConfigVersionId=1694, UserType=NON_GUEST, UserName=test123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, GuestUserName=test123, ResponseTime=31,", "related": { "hosts": [ "cisco-ise-host" @@ -127,7 +128,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000083638", "user": { "type": "NON_GUEST" } @@ -143,6 +143,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 12:01:09 cisco-ise-host CISE_Guest 0000083571 1 0 2022-03-03 12:01:09.743 +00:00 0000083638 86022 INFO Guest: Device Registration Web Authentication AUP Accepted, ConfigVersionId=1698, UserType=NON_GUEST, UserName=test1123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, ResponseTime=15,", + "sequence": 83638, "timezone": "+00:00", "type": [ "info" @@ -160,6 +161,7 @@ } } }, + "message": "2022-03-03 12:01:09.743 +00:00 0000083638 86022 INFO Guest: Device Registration Web Authentication AUP Accepted, ConfigVersionId=1698, UserType=NON_GUEST, UserName=test1123, IpAddress=89.160.20.112, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=ise.host.local, ResponseTime=15,", "related": { "hosts": [ "cisco-ise-host" @@ -233,6 +235,7 @@ "priority": 182 } }, + "message": "AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.local, ResponseTime=41,", "related": { "hosts": [ "cisco-ise-host" @@ -282,6 +285,7 @@ "priority": 182 } }, + "message": "PortalName=Hotspot Guest Portal (default),", "related": { "hosts": [ "cisco-ise-host" @@ -334,6 +338,7 @@ "priority": 182 } }, + "message": "PortalName=Hotspot Guest Portal (default), FailureReason=86023 Device Registration Web Authentication AUP Declined,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json index d9ffa857976..c49605ace33 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json @@ -46,8 +46,7 @@ "access": { "service": "Default Network Access" } - }, - "sequence_number": "0000083485" + } } }, "ecs": { @@ -61,6 +60,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083418 1 0 2022-03-03 11:37:34.933 +00:00 0000083485 24209 DEBUG Local-user-DB: Looking up Endpoint in Internal Endpoints IDStore, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", + "sequence": 83485, "timezone": "+00:00", "type": [ "info" @@ -78,6 +78,7 @@ } } }, + "message": "2022-03-03 11:37:34.933 +00:00 0000083485 24209 DEBUG Local-user-DB: Looking up Endpoint in Internal Endpoints IDStore, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", "network": { "protocol": "radius" }, @@ -136,8 +137,7 @@ "access": { "service": "AuthenticateUserAPI" } - }, - "sequence_number": "0000082716" + } } }, "ecs": { @@ -150,6 +150,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:24:13 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082649 1 0 2022-03-03 09:24:13.235 +00:00 0000082716 24210 DEBUG Local-user-DB: Looking up User in Internal Users IDStore, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/115, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth20,", + "sequence": 82716, "timezone": "+00:00", "type": [ "info", @@ -168,6 +169,7 @@ } } }, + "message": "2022-03-03 09:24:13.235 +00:00 0000082716 24210 DEBUG Local-user-DB: Looking up User in Internal Users IDStore, ConfigVersionId=1628, UserName=test, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/115, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth20,", "related": { "hosts": [ "cisco-ise-host" @@ -229,8 +231,7 @@ "access": { "service": "AuthenticateUserAPI" } - }, - "sequence_number": "0000082671" + } } }, "ecs": { @@ -243,6 +244,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:51 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082604 1 0 2022-03-03 09:22:51.639 +00:00 0000082671 24212 DEBUG Local-user-DB: Found User in Internal Users IDStore, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/110, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth18, Firstname=Employee1, Lastname=Cisco1, EnableFlag=Enabled, Response={AuthenticationResult=NotPerformed; },", + "sequence": 82671, "timezone": "+00:00", "type": [ "info", @@ -261,6 +263,7 @@ } } }, + "message": "2022-03-03 09:22:51.639 +00:00 0000082671 24212 DEBUG Local-user-DB: Found User in Internal Users IDStore, ConfigVersionId=1628, UserName=employee1, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/110, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth18, Firstname=Employee1, Lastname=Cisco1, EnableFlag=Enabled, Response={AuthenticationResult=NotPerformed; },", "related": { "hosts": [ "cisco-ise-host" @@ -324,8 +327,7 @@ "access": { "service": "AuthenticateUserAPI" } - }, - "sequence_number": "0000082683" + } } }, "ecs": { @@ -338,6 +340,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082616 1 0 2022-03-03 09:22:59.336 +00:00 0000082683 24216 DEBUG Local-user-DB: The user is not found in the internal users identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; },", + "sequence": 82683, "timezone": "+00:00", "type": [ "info", @@ -356,6 +359,7 @@ } } }, + "message": "2022-03-03 09:22:59.336 +00:00 0000082683 24216 DEBUG Local-user-DB: The user is not found in the internal users identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; },", "related": { "hosts": [ "cisco-ise-host" @@ -417,8 +421,7 @@ "access": { "service": "Default Network Access" } - }, - "sequence_number": "0000083486" + } } }, "ecs": { @@ -432,6 +435,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083419 1 0 2022-03-03 11:37:34.936 +00:00 0000083486 24217 DEBUG Local-user-DB: The host is not found in the internal endpoints identity store, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", + "sequence": 83486, "timezone": "+00:00", "type": [ "info", @@ -450,6 +454,7 @@ } } }, + "message": "2022-03-03 11:37:34.936 +00:00 0000083486 24217 DEBUG Local-user-DB: The host is not found in the internal endpoints identity store, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", "network": { "protocol": "radius" }, @@ -487,8 +492,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082690" + } } }, "ecs": { @@ -502,6 +506,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082623 1 0 2022-03-03 09:22:59.359 +00:00 0000082690 24313 DEBUG External-Active-Directory: Search for matching accounts at join point, AD-Log-Id=1645524126/33,", + "sequence": 82690, "timezone": "+00:00", "type": [ "info" @@ -519,6 +524,7 @@ } } }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082690 24313 DEBUG External-Active-Directory: Search for matching accounts at join point, AD-Log-Id=1645524126/33,", "related": { "hosts": [ "cisco-ise-host" @@ -547,8 +553,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082692" + } } }, "ecs": { @@ -562,6 +567,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082625 1 0 2022-03-03 09:22:59.359 +00:00 0000082692 24322 DEBUG External-Active-Directory: Identity resolution detected no matching account, AD-Log-Id=1645524126/35,", + "sequence": 82692, "timezone": "+00:00", "type": [ "info" @@ -579,6 +585,7 @@ } } }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082692 24322 DEBUG External-Active-Directory: Identity resolution detected no matching account, AD-Log-Id=1645524126/35,", "related": { "hosts": [ "cisco-ise-host" @@ -607,8 +614,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082689" + } } }, "ecs": { @@ -622,6 +628,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082622 1 0 2022-03-03 09:22:59.359 +00:00 0000082689 24325 DEBUG External-Active-Directory: Resolving identity, AD-Log-Id=1645524126/32,", + "sequence": 82689, "timezone": "+00:00", "type": [ "info" @@ -639,6 +646,7 @@ } } }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082689 24325 DEBUG External-Active-Directory: Resolving identity, AD-Log-Id=1645524126/32,", "related": { "hosts": [ "cisco-ise-host" @@ -667,8 +675,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082693" + } } }, "ecs": { @@ -682,6 +689,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082626 1 0 2022-03-03 09:22:59.359 +00:00 0000082693 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/36,", + "sequence": 82693, "timezone": "+00:00", "type": [ "info", @@ -700,6 +708,7 @@ } } }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082693 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/36,", "related": { "hosts": [ "cisco-ise-host" @@ -728,8 +737,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082691" + } } }, "ecs": { @@ -742,6 +750,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082624 1 0 2022-03-03 09:22:59.359 +00:00 0000082691 24366 DEBUG External-Active-Directory: Skipping unjoined domain, AD-Log-Id=1645524126/34,", + "sequence": 82691, "timezone": "+00:00", "type": [ "info" @@ -759,6 +768,7 @@ } } }, + "message": "2022-03-03 09:22:59.359 +00:00 0000082691 24366 DEBUG External-Active-Directory: Skipping unjoined domain, AD-Log-Id=1645524126/34,", "related": { "hosts": [ "cisco-ise-host" @@ -811,8 +821,7 @@ "access": { "service": "AuthenticateUserAPI" } - }, - "sequence_number": "0000082694" + } } }, "ecs": { @@ -826,6 +835,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082627 1 0 2022-03-03 09:22:59.360 +00:00 0000082694 24412 DEBUG External-Active-Directory: User not found in Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82694, "timezone": "+00:00", "type": [ "info", @@ -844,6 +854,7 @@ } } }, + "message": "2022-03-03 09:22:59.360 +00:00 0000082694 24412 DEBUG External-Active-Directory: User not found in Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; },", "related": { "hosts": [ "cisco-ise-host" @@ -902,8 +913,7 @@ "access": { "service": "AuthenticateUserAPI" } - }, - "sequence_number": "0000082688" + } } }, "ecs": { @@ -917,6 +927,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082621 1 0 2022-03-03 09:22:59.357 +00:00 0000082688 24430 DEBUG External-Active-Directory: Authenticating user against Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=Failed; },", + "sequence": 82688, "timezone": "+00:00", "type": [ "info" @@ -934,6 +945,7 @@ } } }, + "message": "2022-03-03 09:22:59.357 +00:00 0000082688 24430 DEBUG External-Active-Directory: Authenticating user against Active Directory, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=All_AD_Join_Points, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=Failed; },", "related": { "hosts": [ "cisco-ise-host" @@ -992,8 +1004,7 @@ "access": { "service": "AuthenticateUserAPI" } - }, - "sequence_number": "0000082685" + } } }, "ecs": { @@ -1006,6 +1017,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082618 1 0 2022-03-03 09:22:59.337 +00:00 0000082685 24631 DEBUG Local-user-DB: Looking up User in Internal Guests IDStore, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; },", + "sequence": 82685, "timezone": "+00:00", "type": [ "info", @@ -1024,6 +1036,7 @@ } } }, + "message": "2022-03-03 09:22:59.337 +00:00 0000082685 24631 DEBUG Local-user-DB: Looking up User in Internal Guests IDStore, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; },", "related": { "hosts": [ "cisco-ise-host" @@ -1083,8 +1096,7 @@ "access": { "service": "AuthenticateUserAPI" } - }, - "sequence_number": "0000082686" + } } }, "ecs": { @@ -1098,6 +1110,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:22:59 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000082619 1 0 2022-03-03 09:22:59.356 +00:00 0000082686 24633 DEBUG Local-user-DB: The user is not found in the internal guests identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; },", + "sequence": 82686, "timezone": "+00:00", "type": [ "info", @@ -1116,6 +1129,7 @@ } } }, + "message": "2022-03-03 09:22:59.356 +00:00 0000082686 24633 DEBUG Local-user-DB: The user is not found in the internal guests identity store, ConfigVersionId=1628, UserName=admin, SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/435083133/112, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Guest Users, CPMSessionID=cisco-ise-host:userauth19, Response={AuthenticationResult=UnknownUser; LdapOperationStatus=SubjectNotFound; },", "related": { "hosts": [ "cisco-ise-host" @@ -1177,8 +1191,7 @@ "access": { "service": "Default Network Access" } - }, - "sequence_number": "0000083483" + } } }, "ecs": { @@ -1192,6 +1205,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000083416 1 0 2022-03-03 11:37:34.931 +00:00 0000083483 24715 DEBUG External-Active-Directory: ISE has not confirmed locally previous successful machine authentication for user in Active Directory, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", + "sequence": 83483, "timezone": "+00:00", "type": [ "info" @@ -1209,6 +1223,7 @@ } } }, + "message": "2022-03-03 11:37:34.931 +00:00 0000083483 24715 DEBUG External-Active-Directory: ISE has not confirmed locally previous successful machine authentication for user in Active Directory, ConfigVersionId=1696, UserName=92-09-00-00-00-01, Protocol=Radius, OriginalUserName=92-09-00-00-00-01, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={AuthenticationResult=UnknownUser; QueryResult=UnknownUser; },", "network": { "protocol": "radius" }, @@ -1246,8 +1261,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000129427" + } } }, "ecs": { @@ -1261,6 +1275,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 10 09:05:25 cisco-ise-host CISE_Identity_Stores_Diagnostics 0000129360 1 0 2022-03-10 09:05:25.669 +00:00 0000129427 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/103, ", + "sequence": 129427, "timezone": "+00:00", "type": [ "info", @@ -1279,6 +1294,7 @@ } } }, + "message": "2022-03-10 09:05:25.669 +00:00 0000129427 24352 DEBUG External-Active-Directory: Identity resolution failed, AD-Log-Id=1645524126/103,", "related": { "hosts": [ "cisco-ise-host" @@ -1341,6 +1357,7 @@ "priority": 183 } }, + "message": "SelectedAccessService=AuthenticateUserAPI, AcsSessionID=cisco-ise-host/437837646/2, AuthenticationMethod=PAP_ASCII, CurrentIDStoreName=Internal Users, CPMSessionID=cisco-ise-host:userauth2,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json index 87ae0beefd9..b2c56effc8b 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json @@ -21,8 +21,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000000945" + } } }, "destination": { @@ -38,6 +37,7 @@ ], "kind": "event", "original": "\u003c180\u003eFeb 23 06:11:12 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000000890 1 0 2022-02-23 06:11:12.793 +00:00 0000000945 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=240, DestinationPort=9025, LoggerName=Test_TCP,", + "sequence": 945, "timezone": "+00:00", "type": [ "info" @@ -55,6 +55,7 @@ } } }, + "message": "2022-02-23 06:11:12.793 +00:00 0000000945 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=240, DestinationPort=9025, LoggerName=Test_TCP,", "related": { "hosts": [ "cisco-ise-host" @@ -82,8 +83,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082642" + } } }, "ecs": { @@ -96,6 +96,7 @@ ], "kind": "event", "original": "\u003c179\u003eMar 3 09:19:04 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000082575 1 0 2022-03-03 09:19:04.559 +00:00 0000082642 34120 ERROR Profiler: Profiler failed to get the connection to NAC Manager, ConfigVersionId=1628,", + "sequence": 82642, "timezone": "+00:00", "type": [ "info" @@ -113,6 +114,7 @@ } } }, + "message": "2022-03-03 09:19:04.559 +00:00 0000082642 34120 ERROR Profiler: Profiler failed to get the connection to NAC Manager, ConfigVersionId=1628,", "related": { "hosts": [ "cisco-ise-host" @@ -143,8 +145,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000040898" + } } }, "destination": { @@ -160,6 +161,7 @@ ], "kind": "event", "original": "\u003c180\u003eMar 3 09:24:09 isehost CISE_Internal_Operations_Diagnostics 0000040852 1 0 2022-03-03 09:24:09.011 +00:00 0000040898 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA,", + "sequence": 40898, "timezone": "+00:00", "type": [ "info" @@ -177,6 +179,7 @@ } } }, + "message": "2022-03-03 09:24:09.011 +00:00 0000040898 34126 WARN System-Management: Remote syslog target is unavailable, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA,", "related": { "hosts": [ "isehost" @@ -207,8 +210,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000040903" + } } }, "destination": { @@ -224,6 +226,7 @@ ], "kind": "event", "original": "\u003c180\u003eMar 3 09:24:39 isehost CISE_Internal_Operations_Diagnostics 0000040857 1 0 2022-03-03 09:24:39.014 +00:00 0000040903 34127 WARN System-Management: Remote syslog target connection resume, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA,", + "sequence": 40903, "timezone": "+00:00", "type": [ "info" @@ -241,6 +244,7 @@ } } }, + "message": "2022-03-03 09:24:39.014 +00:00 0000040903 34127 WARN System-Management: Remote syslog target connection resume, ConfigVersionId=795, DestinationPort=9005, LoggerName=TCP Collector QA,", "related": { "hosts": [ "isehost" @@ -274,8 +278,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000080006" + } } }, "ecs": { @@ -288,6 +291,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 00:00:00 cisco-ise-host CISE_Internal_Operations_Diagnostics 0000079939 1 0 2022-03-03 00:00:00.480 +00:00 0000080006 32025 DEBUG Logging: Rolled over local storage file, ConfigVersionId=1543, LogFileName=/opt/CSCOcpm/logs/localStore//iseLocalStore.log.2022-03-02-00-00-00-478, LogErrorMessage=LOG_OK_NO_ERROR,", + "sequence": 80006, "timezone": "+00:00", "type": [ "info" @@ -305,6 +309,7 @@ } } }, + "message": "2022-03-03 00:00:00.480 +00:00 0000080006 32025 DEBUG Logging: Rolled over local storage file, ConfigVersionId=1543, LogFileName=/opt/CSCOcpm/logs/localStore//iseLocalStore.log.2022-03-02-00-00-00-478, LogErrorMessage=LOG_OK_NO_ERROR,", "related": { "hosts": [ "cisco-ise-host" @@ -351,6 +356,7 @@ "priority": 180 } }, + "message": "LoggerName=Test_TCP,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json index 0c1413129fb..b2bac19eec9 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json @@ -48,7 +48,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000082725", "static": { "assignment": false } @@ -64,6 +63,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082658 1 0 2022-03-03 09:24:53.393 +00:00 0000082725 88004 INFO MyDevices: Successfully deleted the device (endpoint), ConfigVersionId=1629, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:00, EPIdentityGroup=Unknown, Staticassignment=false, EndPointProfiler=ise.host.local, EndPointPolicy=Xerox-Device, DeviceName=test, DeviceRegistrationStatus=NotRegistered, ResponseTime=35,", + "sequence": 82725, "timezone": "+00:00", "type": [ "info" @@ -81,6 +81,7 @@ } } }, + "message": "2022-03-03 09:24:53.393 +00:00 0000082725 88004 INFO MyDevices: Successfully deleted the device (endpoint), ConfigVersionId=1629, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:00, EPIdentityGroup=Unknown, Staticassignment=false, EndPointProfiler=ise.host.local, EndPointPolicy=Xerox-Device, DeviceName=test, DeviceRegistrationStatus=NotRegistered, ResponseTime=35,", "related": { "hosts": [ "cisco-ise-host" @@ -147,7 +148,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000082723", "static": { "assignment": true } @@ -163,6 +163,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 3 09:24:40 cisco-ise-host CISE_MyDevices 0000082656 1 0 2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35", + "sequence": 82723, "timezone": "+00:00", "type": [ "info" @@ -180,6 +181,7 @@ } } }, + "message": "2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35", "related": { "hosts": [ "cisco-ise-host" @@ -227,8 +229,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082726" + } } }, "ecs": { @@ -241,6 +242,7 @@ ], "kind": "event", "original": "\u003c179\u003eMar 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082659 1 0 2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate,", + "sequence": 82726, "timezone": "+00:00", "type": [ "info" @@ -258,6 +260,7 @@ } } }, + "message": "2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate,", "related": { "hosts": [ "cisco-ise-host" @@ -321,6 +324,7 @@ "priority": 182 } }, + "message": "AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.host.local, EPMacAddress=12:34:52:24:24:32,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json index 0074f4dcef4..74f833bf024 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json @@ -151,7 +151,6 @@ "profiles": "hotspot" } }, - "sequence_number": "0000083490", "service": { "type": "Call Check" }, @@ -207,6 +206,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 11:37:34 cisco-ise-host CISE_Passed_Authentications 0000083423 1 0 2022-03-03 11:37:34.978 +00:00 0000083490 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=1696, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.193, DestinationPort=1812, UserName=92-09-00-00-00-01, Protocol=Radius, NetworkDeviceName=Simulator, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=gigabitEthernet1/0/1, Airespace-Wlan-Id=3, OriginalUserName=92-09-00-00-00-01, MisconfiguredClientFixReason=Passed, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=WirelessMAB, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, UseCase=Host Lookup, RequestLatency=90, Step=11001, Step=11017, Step=11117, Step=11027, Step=15049, Step=15008, Step=15041, Step=15048, Step=15013, Step=24209, Step=24217, Step=22056, Step=22058, Step=22060, Step=24715, Step=15036, Step=24209, Step=24217, Step=15016, Step=11002, Step=5239, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=UnknownUser, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, EndPointMACAddress=92-09-00-00-00-01, PostureAssessmentStatus=Pending, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, StepData=7= Normalised Radius.RadiusFlowType, StepData=8=Internal Endpoints, TotalAuthenLatency=90, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; LicenseTypes=1; },", + "sequence": 83490, "timezone": "+00:00", "type": [ "info" @@ -224,6 +224,7 @@ } } }, + "message": "2022-03-03 11:37:34.978 +00:00 0000083490 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=1696, Device IP Address=81.2.69.143, DestinationIPAddress=81.2.69.193, DestinationPort=1812, UserName=92-09-00-00-00-01, Protocol=Radius, NetworkDeviceName=Simulator, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=gigabitEthernet1/0/1, Airespace-Wlan-Id=3, OriginalUserName=92-09-00-00-00-01, MisconfiguredClientFixReason=Passed, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=WirelessMAB, AcsSessionID=cisco-ise-host/435083133/126, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, UseCase=Host Lookup, RequestLatency=90, Step=11001, Step=11017, Step=11117, Step=11027, Step=15049, Step=15008, Step=15041, Step=15048, Step=15013, Step=24209, Step=24217, Step=22056, Step=22058, Step=22060, Step=24715, Step=15036, Step=24209, Step=24217, Step=15016, Step=11002, Step=5239, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=UnknownUser, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, EndPointMACAddress=92-09-00-00-00-01, PostureAssessmentStatus=Pending, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB, StepData=7= Normalised Radius.RadiusFlowType, StepData=8=Internal Endpoints, TotalAuthenLatency=90, ClientLatency=0, allowEasyWiredSession=false, DTLSSupport=Unknown, Model Name=Unknown, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; LicenseTypes=1; },", "network": { "protocol": "radius" }, @@ -289,7 +290,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000077104", "step": "5231", "user": { "type": "NON_GUEST" @@ -306,6 +306,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 2 13:27:48 cisco-ise-host CISE_Passed_Authentications 0000077038 1 0 2022-03-02 13:27:48.625 +00:00 0000077104 5231 NOTICE Guest: Guest Authentication Passed, ConfigVersionId=1459, AuthenticationMethod=PAP_ASCII, UserType=NON_GUEST, UserName=test, IpAddress=81.2.69.145, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=cisco-ise-host.local, GuestUserName=test, ResponseTime=21, Step=5231,", + "sequence": 77104, "timezone": "+00:00", "type": [ "info" @@ -323,6 +324,7 @@ } } }, + "message": "2022-03-02 13:27:48.625 +00:00 0000077104 5231 NOTICE Guest: Guest Authentication Passed, ConfigVersionId=1459, AuthenticationMethod=PAP_ASCII, UserType=NON_GUEST, UserName=test, IpAddress=81.2.69.145, AuthenticationIdentityStore=Internal Users, PortalName=Self-Registered Guest Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=cisco-ise-host.local, GuestUserName=test, ResponseTime=21, Step=5231,", "related": { "hosts": [ "cisco-ise-host" @@ -430,7 +432,6 @@ "service": "NDAC_SGT_Service" } }, - "sequence_number": "0000001707", "step": [ "11001", "11017", @@ -459,6 +460,7 @@ ], "kind": "event", "original": "\u003c181\u003eFeb 23 21:44:54 cisco-ise-host CISE_Passed_Authentications 0000000028 1 0 2021-02-23 21:44:54.276 +00:00 0000001707 5233 NOTICE Passed-Authentication: TrustSec Data Download Succeeded, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; },", + "sequence": 1707, "timezone": "+00:00", "type": [ "info" @@ -476,6 +478,7 @@ } } }, + "message": "2021-02-23 21:44:54.276 +00:00 0000001707 5233 NOTICE Passed-Authentication: TrustSec Data Download Succeeded, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; },", "network": { "protocol": "radius" }, @@ -529,7 +532,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000082584", "step": "5239" } }, @@ -543,6 +545,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082517 1 0 2022-03-03 09:11:58.729 +00:00 0000082584 5239 NOTICE RADIUS: NAS problem was fixed, ConfigVersionId=1626, NAS-IP-Address=81.2.69.145, MisconfiguredClientFixReason=Silent, Step=5239,", + "sequence": 82584, "timezone": "+00:00", "type": [ "info" @@ -560,6 +563,7 @@ } } }, + "message": "2022-03-03 09:11:58.729 +00:00 0000082584 5239 NOTICE RADIUS: NAS problem was fixed, ConfigVersionId=1626, NAS-IP-Address=81.2.69.145, MisconfiguredClientFixReason=Silent, Step=5239,", "related": { "hosts": [ "cisco-ise-host" @@ -618,6 +622,7 @@ "priority": 181 } }, + "message": "ConfigVersionId=1626, NAS-IP-Address=81.2.69.144, MisconfiguredClientFixReason=Silent, Step=5234,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json index 9196cbd8016..5dc2a922e35 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json @@ -34,8 +34,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083474" + } } }, "client": { @@ -51,6 +50,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083407 1 0 2022-03-03 11:37:34.891 +00:00 0000083474 15008 DEBUG Policy: Evaluating Service Selection Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", + "sequence": 83474, "timezone": "+00:00", "type": [ "info" @@ -68,6 +68,7 @@ } } }, + "message": "2022-03-03 11:37:34.891 +00:00 0000083474 15008 DEBUG Policy: Evaluating Service Selection Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", "network": { "protocol": "radius" }, @@ -130,8 +131,7 @@ "access": { "service": "AuthenticateUserAPI" } - }, - "sequence_number": "0000082715" + } } }, "client": { @@ -147,6 +147,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:24:13 cisco-ise-host CISE_Policy_Diagnostics 0000082648 1 0 2022-03-03 09:24:13.235 +00:00 0000082715 15013 DEBUG Policy: Selected Identity Source, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CurrentIDStoreName=Internal Users, CPMSessionID=isehost:userauth20,", + "sequence": 82715, "timezone": "+00:00", "type": [ "info" @@ -164,6 +165,7 @@ } } }, + "message": "2022-03-03 09:24:13.235 +00:00 0000082715 15013 DEBUG Policy: Selected Identity Source, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CurrentIDStoreName=Internal Users, CPMSessionID=isehost:userauth20,", "related": { "hosts": [ "cisco-ise-host" @@ -250,8 +252,7 @@ "authorization": { "profiles": "hotspot" } - }, - "sequence_number": "0000083487" + } } }, "client": { @@ -267,6 +268,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083420 1 0 2022-03-03 11:37:34.958 +00:00 0000083487 15016 DEBUG Policy: Selected Authorization Profile, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB,", + "sequence": 83487, "timezone": "+00:00", "type": [ "info" @@ -284,6 +286,7 @@ } } }, + "message": "2022-03-03 11:37:34.958 +00:00 0000083487 15016 DEBUG Policy: Selected Authorization Profile, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=hotspot, IdentityPolicyMatchedRule=MAB, AuthorizationPolicyMatchedRule=Hotspot, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB,", "network": { "protocol": "radius" }, @@ -363,8 +366,7 @@ "access": { "service": "Default Network Access" } - }, - "sequence_number": "0000083484" + } } }, "client": { @@ -380,6 +382,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083417 1 0 2022-03-03 11:37:34.932 +00:00 0000083484 15036 DEBUG Policy: Evaluating Authorization Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, IdentityPolicyMatchedRule=MAB, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB,", + "sequence": 83484, "timezone": "+00:00", "type": [ "info" @@ -397,6 +400,7 @@ } } }, + "message": "2022-03-03 11:37:34.932 +00:00 0000083484 15036 DEBUG Policy: Evaluating Authorization Policy, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=RadiusAuthorizationPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, IdentityPolicyMatchedRule=MAB, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default, IdentitySelectionMatchedRule=MAB,", "network": { "protocol": "radius" }, @@ -456,8 +460,7 @@ "access": { "service": "AuthenticateUserAPI" } - }, - "sequence_number": "0000082713" + } } }, "client": { @@ -473,6 +476,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 09:24:13 cisco-ise-host CISE_Policy_Diagnostics 0000082646 1 0 2022-03-03 09:24:13.233 +00:00 0000082713 15041 DEBUG Policy: Evaluating Identity Policy, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CPMSessionID=isehost:userauth20,", + "sequence": 82713, "timezone": "+00:00", "type": [ "info" @@ -490,6 +494,7 @@ } } }, + "message": "2022-03-03 09:24:13.233 +00:00 0000082713 15041 DEBUG Policy: Evaluating Identity Policy, ConfigVersionId=1628, Device IP Address=81.2.69.143, UserName=test, SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=isehost/435083133/115, CPMSessionID=isehost:userauth20,", "related": { "hosts": [ "cisco-ise-host" @@ -554,8 +559,7 @@ "access": { "service": "Default Network Access" } - }, - "sequence_number": "0000083476" + } } }, "client": { @@ -571,6 +575,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083409 1 0 2022-03-03 11:37:34.900 +00:00 0000083476 15048 DEBUG Policy: Queried PIP, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=IdentityPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default,", + "sequence": 83476, "timezone": "+00:00", "type": [ "info" @@ -588,6 +593,7 @@ } } }, + "message": "2022-03-03 11:37:34.900 +00:00 0000083476 15048 DEBUG Policy: Queried PIP, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=IdentityPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, ISEPolicySetName=Default,", "network": { "protocol": "radius" }, @@ -645,8 +651,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000083473" + } } }, "client": { @@ -662,6 +667,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_Policy_Diagnostics 0000083406 1 0 2022-03-03 11:37:34.890 +00:00 0000083473 15049 DEBUG Policy: Evaluating Policy Group, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", + "sequence": 83473, "timezone": "+00:00", "type": [ "info" @@ -679,6 +685,7 @@ } } }, + "message": "2022-03-03 11:37:34.890 +00:00 0000083473 15049 DEBUG Policy: Evaluating Policy Group, ConfigVersionId=1696, Device IP Address=81.2.69.143, UserName=92-09-00-00-00-01, Protocol=Radius, RequestReceivedTime=1646307454, PolicyType=ServiceSelectionPolicy, OriginalUserName=92-09-00-00-00-01, AcsSessionID=isehost/435083133/126, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", "network": { "protocol": "radius" }, @@ -757,6 +764,7 @@ "priority": 183 } }, + "message": "SelectedAccessService=AuthenticateUserAPI, PolicyType=IdentityPolicy, AcsSessionID=cisco-ise-host/437837646/2, CPMSessionID=cisco-ise-host:userauth2,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json index d00ea553225..9c067dc0e43 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json @@ -23,8 +23,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000004348" + } } }, "client": { @@ -42,6 +41,7 @@ ], "kind": "event", "original": "\u003c181\u003eFeb 26 22:15:22 cisco-ise-host CISE_Posture_and_Client_Provisioning_Audit 0000000959 1 0 2021-02-26 22:15:22.379 +00:00 0000004348 87751 NOTICE EPS: Endpoint Protection Service has obtained the result of an operation, ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:81.2.69.145, OperationStatus=RUNNING, AdminName=abc@abc.com.com,", + "sequence": 4348, "timezone": "+00:00", "type": [ "info" @@ -59,6 +59,7 @@ } } }, + "message": "2021-02-26 22:15:22.379 +00:00 0000004348 87751 NOTICE EPS: Endpoint Protection Service has obtained the result of an operation, ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:81.2.69.145, OperationStatus=RUNNING, AdminName=abc@abc.com.com,", "related": { "hosts": [ "cisco-ise-host" @@ -121,6 +122,7 @@ "priority": 181 } }, + "message": "ConfigVersionId=88, OperationID=ise.securitydemo.net:1, OperationType=CLEAR_POLICY_BY_IP:81.2.69.144, OperationStatus=RUNNING, AdminName=xyz@xyz.com.com,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json index bb5e2488329..8de554567bd 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json @@ -87,7 +87,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0091827141", "step": [ "11004", "11017", @@ -124,6 +123,7 @@ ], "kind": "event", "original": "\u003c182\u003eApr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "sequence": 91827141, "timezone": "-08:00", "type": [ "info" @@ -141,6 +141,7 @@ } } }, + "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", "related": { "hosts": [ "hijk.xyz.com" @@ -223,8 +224,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0096217580" + } } }, "client": { @@ -240,6 +240,7 @@ ], "kind": "event", "original": "\u003c182\u003eApr 27 11:18:08 tuv.w.xyz.com CISE_RADIUS_Accounting 0000142722 1 0 2020-04-27 11:18:08.144167 -08:00 0096217580 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=4, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52=", + "sequence": 96217580, "timezone": "-08:00", "type": [ "info" @@ -257,6 +258,7 @@ } } }, + "message": "2020-04-27 11:18:08.144167 -08:00 0096217580 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=4, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=89.160.20.112, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52=", "related": { "hosts": [ "tuv.w.xyz.com" @@ -364,6 +366,7 @@ "priority": 182 } }, + "message": "ConfigVersionId=35, Device IP Address=81.2.69.144, RequestLatency=8, NetworkDeviceName=WNBU-WLC1, User-Name=businesskent, NAS-IP-Address=81.2.69.145, NAS-Port=17, Framed-IP-Address=89.160.20.112, Class=CACS:0a202506000193a252d04b55:tuv.w.xyz.com/176956368/1154568, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=5c-0a-5b-43-3f-79, NAS-Identifier=Cisco_fe:56:00, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=43000, Acct-Output-Octets=140998, Acct-Session-Id=0000AAAA/5c:0a:5b:43:3f:79/24927, Acct-Authentic=RADIUS, Acct-Session-Time=209, Acct-Input-Packets=471, Acct-Output-Packets=262, Acct-Terminate-Cause=User Request, undefined-52=", "related": { "hosts": [ "tuv.w.xyz.com" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json index 1d8ac6aa89d..0bed2cd3834 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json @@ -47,8 +47,7 @@ "access": { "service": "Default Network Access" } - }, - "sequence_number": "0000076076" + } } }, "client": { @@ -69,6 +68,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076010 1 0 2022-03-02 10:54:40.275 +00:00 0000076076 11001 DEBUG RADIUS: Received RADIUS Access-Request, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76076, "timezone": "+00:00", "type": [ "info" @@ -86,6 +86,7 @@ } } }, + "message": "2022-03-02 10:54:40.275 +00:00 0000076076 11001 DEBUG RADIUS: Received RADIUS Access-Request, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -170,7 +171,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000083488", "usecase": "Host Lookup" } }, @@ -192,6 +192,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_RADIUS_Diagnostics 0000083421 1 0 2022-03-03 11:37:34.978 +00:00 0000083488 11002 DEBUG RADIUS: Returned RADIUS Access-Accept, ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, SelectedAccessService=Default Network Access, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={RadiusPacketType=AccessAccept; AuthenticationResult=UnknownUser; Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.cdsys.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; },", + "sequence": 83488, "timezone": "+00:00", "type": [ "info" @@ -209,6 +210,7 @@ } } }, + "message": "2022-03-03 11:37:34.978 +00:00 0000083488 11002 DEBUG RADIUS: Returned RADIUS Access-Accept, ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, SelectedAccessService=Default Network Access, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M, Response={RadiusPacketType=AccessAccept; AuthenticationResult=UnknownUser; Class=CACS:0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M:cisco-ise-host/435083133/126; cisco-av-pair=url-redirect-acl=REDIRECT; cisco-av-pair=url-redirect=https://cisco-ise-host.cdsys.local:8443/portal/gateway?sessionId=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M\u0026portal=77b653c9-924d-41a5-a5c3-1c40c4e7a5a7\u0026action=cwa\u0026type=drw\u0026token=65402552fb76ff96c08edaab722f880e; },", "related": { "hosts": [ "cisco-ise-host" @@ -255,8 +257,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000075881" + } } }, "client": { @@ -277,6 +278,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 2 10:30:25 cisco-ise-host CISE_RADIUS_Diagnostics 0000075815 1 0 2022-03-02 10:30:25.393 +00:00 0000075881 11004 DEBUG RADIUS: Received RADIUS Accounting-Request, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, AcsSessionID=cisco-ise-host/435083133/79,", + "sequence": 75881, "timezone": "+00:00", "type": [ "info" @@ -294,6 +296,7 @@ } } }, + "message": "2022-03-02 10:30:25.393 +00:00 0000075881 11004 DEBUG RADIUS: Received RADIUS Accounting-Request, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, AcsSessionID=cisco-ise-host/435083133/79,", "related": { "hosts": [ "cisco-ise-host" @@ -364,8 +367,7 @@ "access": { "service": "Default Network Access" } - }, - "sequence_number": "0000075887" + } } }, "client": { @@ -386,6 +388,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 2 10:30:25 cisco-ise-host CISE_RADIUS_Diagnostics 0000075821 1 0 2022-03-02 10:30:25.398 +00:00 0000075887 11005 DEBUG RADIUS: Returned RADIUS Accounting-Response, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusPacketType=AccountingRequest, RadiusIdentifier=6, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/79, SelectedAccessService=Default Network Access, CPMSessionID=0a0009cc/2Fl2YA6dnR0d0WayxawhKg5MlkqPkPBGJbhvXrvHlo,", + "sequence": 75887, "timezone": "+00:00", "type": [ "info" @@ -403,6 +406,7 @@ } } }, + "message": "2022-03-02 10:30:25.398 +00:00 0000075887 11005 DEBUG RADIUS: Returned RADIUS Accounting-Response, ConfigVersionId=1381, Device IP Address=81.2.69.143, Device Port=47730, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusPacketType=AccountingRequest, RadiusIdentifier=6, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/79, SelectedAccessService=Default Network Access, CPMSessionID=0a0009cc/2Fl2YA6dnR0d0WayxawhKg5MlkqPkPBGJbhvXrvHlo,", "related": { "hosts": [ "cisco-ise-host" @@ -482,7 +486,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076087", "session": { "timeout": 30 }, @@ -507,6 +510,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076021 1 0 2022-03-02 10:54:40.278 +00:00 0000076087 11006 DEBUG RADIUS: Returned RADIUS Access-Challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, Response={RadiusPacketType=AccessChallenge; },", + "sequence": 76087, "timezone": "+00:00", "type": [ "info" @@ -524,6 +528,7 @@ } } }, + "message": "2022-03-02 10:54:40.278 +00:00 0000076087 11006 DEBUG RADIUS: Returned RADIUS Access-Challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc, Response={RadiusPacketType=AccessChallenge; },", "related": { "hosts": [ "cisco-ise-host" @@ -588,8 +593,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000004680" + } } }, "client": { @@ -610,6 +614,7 @@ ], "kind": "event", "original": "\u003c180\u003eFeb 16 09:29:43 cisco-ise-host CISE_RADIUS_Diagnostics 0000004585 1 0 2021-03-16 09:29:43.770 +00:00 0000004680 11015 WARN RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=53985, DestinationIPAddress=81.2.69.144, DestinationPort=0073, RadiusIdentifier=13, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=89:aa:11:00:00:01, Acct-Status-Type=Stop, Acct-Session-Id=11000001, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/405244497/3,", + "sequence": 4680, "timezone": "+00:00", "type": [ "info" @@ -627,6 +632,7 @@ } } }, + "message": "2021-03-16 09:29:43.770 +00:00 0000004680 11015 WARN RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=53985, DestinationIPAddress=81.2.69.144, DestinationPort=0073, RadiusIdentifier=13, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=89:aa:11:00:00:01, Acct-Status-Type=Stop, Acct-Session-Id=11000001, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/405244497/3,", "related": { "hosts": [ "cisco-ise-host" @@ -666,8 +672,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000076064" + } } }, "client": { @@ -688,6 +693,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000075998 1 0 2022-03-02 10:54:40.194 +00:00 0000076064 11017 DEBUG RADIUS: RADIUS created a new session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83,", + "sequence": 76064, "timezone": "+00:00", "type": [ "info" @@ -705,6 +711,7 @@ } } }, + "message": "2022-03-02 10:54:40.194 +00:00 0000076064 11017 DEBUG RADIUS: RADIUS created a new session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83,", "related": { "hosts": [ "cisco-ise-host" @@ -765,8 +772,7 @@ "access": { "service": "Default Network Access" } - }, - "sequence_number": "0000076077" + } } }, "client": { @@ -787,6 +793,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076011 1 0 2022-03-02 10:54:40.275 +00:00 0000076077 11018 DEBUG RADIUS: RADIUS is re-using an existing session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76077, "timezone": "+00:00", "type": [ "info" @@ -804,6 +811,7 @@ } } }, + "message": "2022-03-02 10:54:40.275 +00:00 0000076077 11018 DEBUG RADIUS: RADIUS is re-using an existing session, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -874,7 +882,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000083472", "usecase": "Host Lookup" } }, @@ -896,6 +903,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 3 11:37:34 cisco-ise-host CISE_RADIUS_Diagnostics 0000083405 1 0 2022-03-03 11:37:34.890 +00:00 0000083472 11027 DEBUG RADIUS: Detected Host Lookup UseCase (Service-Type = Call Check (10)), ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", + "sequence": 83472, "timezone": "+00:00", "type": [ "info" @@ -913,6 +921,7 @@ } } }, + "message": "2022-03-03 11:37:34.890 +00:00 0000083472 11027 DEBUG RADIUS: Detected Host Lookup UseCase (Service-Type = Call Check (10)), ConfigVersionId=1696, Device IP Address=81.2.69.143, Device Port=35123, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=92-09-00-00-00-01, NAS-IP-Address=81.2.69.143, NAS-Port=86, Service-Type=Call Check, Calling-Station-ID=92:09:00:00:00:01, NAS-Port-Type=Wireless - IEEE 802.11, Airespace-Wlan-Id=3, AcsSessionID=cisco-ise-host/435083133/126, UseCase=Host Lookup, CPMSessionID=0a0009ccdD2BsLZMkW8ZRUAE/sDVf78pplxJC0wv2VwZR6N070M,", "related": { "hosts": [ "cisco-ise-host" @@ -971,7 +980,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000082851", "session": { "timeout": 30 } @@ -995,6 +1003,7 @@ ], "kind": "event", "original": "\u003c180\u003eMar 3 09:40:42 cisco-ise-host CISE_RADIUS_Diagnostics 0000082784 1 0 2022-03-03 09:40:42.552 +00:00 0000082851 11036 WARN RADIUS: The Message-Authenticator RADIUS attribute is invalid, ConfigVersionId=1655, Device IP Address=81.2.69.143, Device Port=35893, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusIdentifier=2, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/120,", + "sequence": 82851, "timezone": "+00:00", "type": [ "info" @@ -1012,6 +1021,7 @@ } } }, + "message": "2022-03-03 09:40:42.552 +00:00 0000082851 11036 WARN RADIUS: The Message-Authenticator RADIUS attribute is invalid, ConfigVersionId=1655, Device IP Address=81.2.69.143, Device Port=35893, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusIdentifier=2, User-Name=testDevice1, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/120,", "related": { "hosts": [ "cisco-ise-host" @@ -1076,8 +1086,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082619" + } } }, "client": { @@ -1098,6 +1107,7 @@ ], "kind": "event", "original": "\u003c180\u003eMar 3 09:14:59 cisco-ise-host CISE_RADIUS_Diagnostics 0000082552 1 0 2022-03-03 09:14:59.500 +00:00 0000082619 11038 WARN RADIUS: RADIUS Accounting-Request header contains invalid Authenticator field, ConfigVersionId=1626, Device IP Address=81.2.69.143, Device Port=51906, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusIdentifier=4, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/107,", + "sequence": 82619, "timezone": "+00:00", "type": [ "info" @@ -1115,6 +1125,7 @@ } } }, + "message": "2022-03-03 09:14:59.500 +00:00 0000082619 11038 WARN RADIUS: RADIUS Accounting-Request header contains invalid Authenticator field, ConfigVersionId=1626, Device IP Address=81.2.69.143, Device Port=51906, DestinationIPAddress=81.2.69.144, DestinationPort=1813, RadiusIdentifier=4, NAS-Port=86, Service-Type=Framed, Calling-Station-ID=00-00-00-00-00-01, Acct-Status-Type=Stop, Acct-Session-Id=00-00-01, NAS-Port-Type=Ethernet, AcsSessionID=cisco-ise-host/435083133/107,", "related": { "hosts": [ "cisco-ise-host" @@ -1172,7 +1183,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000076065", "session": { "timeout": 30 } @@ -1196,6 +1206,7 @@ ], "kind": "event", "original": "\u003c183\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000075999 1 0 2022-03-02 10:54:40.195 +00:00 0000076065 11117 DEBUG RADIUS: Generated a new session ID, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83,", + "sequence": 76065, "timezone": "+00:00", "type": [ "info", @@ -1214,6 +1225,7 @@ } } }, + "message": "2022-03-02 10:54:40.195 +00:00 0000076065 11117 DEBUG RADIUS: Generated a new session ID, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83,", "related": { "hosts": [ "cisco-ise-host" @@ -1287,7 +1299,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076068", "session": { "timeout": 30 } @@ -1311,6 +1322,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076002 1 0 2022-03-02 10:54:40.197 +00:00 0000076068 11507 INFO EAP: Extracted EAP-Response/Identity, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76068, "timezone": "+00:00", "type": [ "info" @@ -1328,6 +1340,7 @@ } } }, + "message": "2022-03-02 10:54:40.197 +00:00 0000076068 11507 INFO EAP: Extracted EAP-Response/Identity, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -1409,7 +1422,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000004648", "session": { "timeout": 30 }, @@ -1434,6 +1446,7 @@ ], "kind": "event", "original": "\u003c182\u003eFeb 16 09:29:43 cisco-ise-host CISE_RADIUS_Diagnostics 0000004570 1 0 2021-03-16 09:29:43.648 +00:00 0000004648 11823 INFO EAP: EAP-MSCHAP authentication attempt failed, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=56430, DestinationIPAddress=81.2.69.144, DestinationPort=0072, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=employee1, NAS-IP-Address=81.2.69.144, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4\\;36SessionID=cisco-ise-host/405244497/1\\;, Session-Timeout=30, Calling-Station-ID=89-AA-11-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/405244497/1, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\\, Retry is allowed, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4, Response={AuthenticationResult=Failed; },", + "sequence": 4648, "timezone": "+00:00", "type": [ "info", @@ -1452,6 +1465,7 @@ } } }, + "message": "2021-03-16 09:29:43.648 +00:00 0000004648 11823 INFO EAP: EAP-MSCHAP authentication attempt failed, ConfigVersionId=104, Device IP Address=81.2.69.144, Device Port=56430, DestinationIPAddress=81.2.69.144, DestinationPort=0072, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=employee1, NAS-IP-Address=81.2.69.144, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4\\;36SessionID=cisco-ise-host/405244497/1\\;, Session-Timeout=30, Calling-Station-ID=89-AA-11-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/405244497/1, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\\, Retry is allowed, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0aa00002g0yr2CdbeWUPvhv9zXKDBoLPTFN7EhaI0iE1zKVe_p4, Response={AuthenticationResult=Failed; },", "related": { "hosts": [ "cisco-ise-host" @@ -1524,7 +1538,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076074", "session": { "timeout": 30 }, @@ -1549,6 +1562,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076008 1 0 2022-03-02 10:54:40.265 +00:00 0000076074 12300 INFO EAP: Prepared EAP-Request proposing PEAP with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76074, "timezone": "+00:00", "type": [ "info" @@ -1566,6 +1580,7 @@ } } }, + "message": "2022-03-02 10:54:40.265 +00:00 0000076074 12300 INFO EAP: Prepared EAP-Request proposing PEAP with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -1639,7 +1654,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076073", "session": { "timeout": 30 }, @@ -1664,6 +1678,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076007 1 0 2022-03-02 10:54:40.264 +00:00 0000076073 12301 INFO EAP: Extracted EAP-Response/NAK requesting to use PEAP instead, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76073, "timezone": "+00:00", "type": [ "info" @@ -1681,6 +1696,7 @@ } } }, + "message": "2022-03-02 10:54:40.264 +00:00 0000076073 12301 INFO EAP: Extracted EAP-Response/NAK requesting to use PEAP instead, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=3, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -1757,7 +1773,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076078", "session": { "timeout": 30 }, @@ -1782,6 +1797,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076012 1 0 2022-03-02 10:54:40.275 +00:00 0000076078 12302 INFO EAP: Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76078, "timezone": "+00:00", "type": [ "info" @@ -1799,6 +1815,7 @@ } } }, + "message": "2022-03-02 10:54:40.275 +00:00 0000076078 12302 INFO EAP: Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -1881,7 +1898,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076086", "session": { "timeout": 30 }, @@ -1906,6 +1922,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076020 1 0 2022-03-02 10:54:40.277 +00:00 0000076086 12305 INFO EAP: Prepared EAP-Request with another PEAP challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76086, "timezone": "+00:00", "type": [ "info" @@ -1923,6 +1940,7 @@ } } }, + "message": "2022-03-02 10:54:40.277 +00:00 0000076086 12305 INFO EAP: Prepared EAP-Request with another PEAP challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -2005,7 +2023,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076085", "session": { "timeout": 30 }, @@ -2030,6 +2047,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076019 1 0 2022-03-02 10:54:40.277 +00:00 0000076085 12307 INFO EAP: PEAP authentication failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76085, "timezone": "+00:00", "type": [ "info", @@ -2048,6 +2066,7 @@ } } }, + "message": "2022-03-02 10:54:40.277 +00:00 0000076085 12307 INFO EAP: PEAP authentication failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -2130,7 +2149,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076084", "session": { "timeout": 30 }, @@ -2155,6 +2173,7 @@ ], "kind": "event", "original": "\u003c180\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076018 1 0 2022-03-02 10:54:40.277 +00:00 0000076084 12309 WARN EAP: PEAP handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76084, "timezone": "+00:00", "type": [ "info", @@ -2173,6 +2192,7 @@ } } }, + "message": "2022-03-02 10:54:40.277 +00:00 0000076084 12309 WARN EAP: PEAP handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, OpenSSLErrorMessage=SSL alert: code=0x246=582 ; source=local ; type=fatal ; message=\\\"protocol version.ssl/statem/statem_srvr.c:1686 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [error=337678594 lib=20 func=521 reason=258]\\\", OpenSSLErrorStack= 140449745684224:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -2249,7 +2269,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076079", "session": { "timeout": 30 }, @@ -2274,6 +2293,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076013 1 0 2022-03-02 10:54:40.276 +00:00 0000076079 12318 INFO EAP: Successfully negotiated PEAP version 0, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76079, "timezone": "+00:00", "type": [ "info" @@ -2291,6 +2311,7 @@ } } }, + "message": "2022-03-02 10:54:40.276 +00:00 0000076079 12318 INFO EAP: Successfully negotiated PEAP version 0, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -2364,7 +2385,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076069", "session": { "timeout": 30 } @@ -2389,6 +2409,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076003 1 0 2022-03-02 10:54:40.198 +00:00 0000076069 12500 INFO EAP: Prepared EAP-Request proposing EAP-TLS with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76069, "timezone": "+00:00", "type": [ "info" @@ -2406,6 +2427,7 @@ } } }, + "message": "2022-03-02 10:54:40.198 +00:00 0000076069 12500 INFO EAP: Prepared EAP-Request proposing EAP-TLS with challenge, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=2, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -2482,7 +2504,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076080", "session": { "timeout": 30 }, @@ -2507,6 +2528,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076014 1 0 2022-03-02 10:54:40.276 +00:00 0000076080 12800 INFO EAP: Extracted first TLS record; TLS handshake started, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76080, "timezone": "+00:00", "type": [ "info" @@ -2524,6 +2546,7 @@ } } }, + "message": "2022-03-02 10:54:40.276 +00:00 0000076080 12800 INFO EAP: Extracted first TLS record; TLS handshake started, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -2600,7 +2623,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076048", "session": { "timeout": 30 }, @@ -2625,6 +2647,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:53:10 cisco-ise-host CISE_RADIUS_Diagnostics 0000075982 1 0 2022-03-02 10:53:10.702 +00:00 0000076048 12805 INFO EAP: Extracted TLS ClientHello message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=48443, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4;29SessionID=cisco-ise-host/435083133/82;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/82, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4,", + "sequence": 76048, "timezone": "+00:00", "type": [ "info" @@ -2642,6 +2665,7 @@ } } }, + "message": "2022-03-02 10:53:10.702 +00:00 0000076048 12805 INFO EAP: Extracted TLS ClientHello message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=48443, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4;29SessionID=cisco-ise-host/435083133/82;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/82, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccr8GsTnHMwaDTe8yR1gvRpH4qkGQ/x0TjxyMKOuFQB/4,", "related": { "hosts": [ "cisco-ise-host" @@ -2718,7 +2742,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076082", "session": { "timeout": 30 }, @@ -2744,6 +2767,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076016 1 0 2022-03-02 10:54:40.276 +00:00 0000076082 12814 INFO EAP: Prepared TLS Alert message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76082, "timezone": "+00:00", "type": [ "info" @@ -2761,6 +2785,7 @@ } } }, + "message": "2022-03-02 10:54:40.276 +00:00 0000076082 12814 INFO EAP: Prepared TLS Alert message, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -2837,7 +2862,6 @@ "service": "Default Network Access" } }, - "sequence_number": "0000076083", "session": { "timeout": 30 }, @@ -2863,6 +2887,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 2 10:54:40 cisco-ise-host CISE_RADIUS_Diagnostics 0000076017 1 0 2022-03-02 10:54:40.276 +00:00 0000076083 12817 INFO EAP: TLS handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", + "sequence": 76083, "timezone": "+00:00", "type": [ "info", @@ -2881,6 +2906,7 @@ } } }, + "message": "2022-03-02 10:54:40.276 +00:00 0000076083 12817 INFO EAP: TLS handshake failed, ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39818, DestinationIPAddress=81.2.69.144, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=30, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, AcsSessionID=cisco-ise-host/435083133/83, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" @@ -2979,6 +3005,7 @@ "priority": 182 } }, + "message": "ConfigVersionId=1383, Device IP Address=81.2.69.143, Device Port=39817, DestinationIPAddress=81.2.69.144, DestinationPort=1892, RadiusPacketType=AccessRequest, RadiusIdentifier=4, User-Name=USERNAME, NAS-IP-Address=81.2.69.143, NAS-Port=1, Service-Type=Framed, State=64CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc;29SessionID=cisco-ise-host/435083133/83;, Session-Timeout=20, Calling-Station-ID=00-00-00-00-00-01, NAS-Port-Type=Wireless - IEEE 802.11, SelectedAccessService=Default Network Access, EapTunnel=PEAP, CPMSessionID=0a0009ccqDyAnAWJUIb_A9r1F7EclNP/asP/HfDHLoNi2qUcIMc,", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json index 647284a4774..d01a70cc346 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json @@ -47,7 +47,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000082999", "sysstats": { "cpu": { "count": 4 @@ -90,6 +89,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 10:10:23 isehost CISE_System_Statistics 0000082933 1 0 2022-03-03 10:10:23.294 +00:00 0000082999 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1659, SysStatsUtilizationCpu=7.32%, SysStatsUtilizationNetwork=eth3: rcvd = 955455; sent = 0 ;rcvd_dropped = 124; sent_dropped = 0, SysStatsUtilizationNetwork=vethbbd4eb0a: rcvd = 0; sent = 70 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth09eb1105: rcvd = 70; sent = 140 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth2f7196e5: rcvd = 1506; sent = 1616 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=42.82%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=1% /tmp, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=19% /opt, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=19% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.65, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11987, ActiveSessionCount=-10,", + "sequence": 82999, "timezone": "+00:00", "type": [ "info" @@ -107,6 +107,7 @@ } } }, + "message": "2022-03-03 10:10:23.294 +00:00 0000082999 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1659, SysStatsUtilizationCpu=7.32%, SysStatsUtilizationNetwork=eth3: rcvd = 955455; sent = 0 ;rcvd_dropped = 124; sent_dropped = 0, SysStatsUtilizationNetwork=vethbbd4eb0a: rcvd = 0; sent = 70 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth09eb1105: rcvd = 70; sent = 140 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=veth2f7196e5: rcvd = 1506; sent = 1616 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=42.82%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=1% /tmp, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=19% /opt, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=19% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.65, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11987, ActiveSessionCount=-10,", "related": { "hosts": [ "isehost" @@ -136,7 +137,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000041146", "sysstats": { "acs": { "process": { @@ -185,6 +185,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 10:11:58 81.2.69.143 CISE_System_Statistics 0000041100 1 0 2022-03-03 10:11:58.749 +00:00 0000041146 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=823, SysStatsAcsProcessHealth= Database Listener=running, PID: 10823; Database Server=running, number of processes: 77; Application Server=running, PID: 2290499; Profiler Database=running, PID: 2286839; ISE Indexing Engine=running, PID: 2301459; AD Connector=running, PID: 27766; M\u0026T Session Database=running, PID: 2288787; M\u0026T Log Processor=running, PID: 2311300; Certificate Authority Service=running, PID: 2312538; EST Service=running, PID: 2326338; SXP Engine Service=running, PID: 1753095; PassiveID WMI Service=running, PID: 2989686; PassiveID Syslog Service=running, PID: 2990191; PassiveID API Service=running, PID: 2990809; PassiveID Agent Service=running, PID: 2991433; PassiveID Endpoint Service=running, PID: 2991940; PassiveID SPAN Service=running, PID: 2992442; DHCP Server (dhcpd)=disabled; DNS Server (named)=disabled; ISE Messaging Service=running, PID: 2322856; ISE API Gateway Database Service=running, PID: 2291381; ISE API Gateway Service=running, PID: 2299091; Segmentation Policy Service=disabled; REST Auth Service=disabled; SSE Connector=disabled; Hermes (pxGrid Cloud Agent)=disabled,", + "sequence": 41146, "timezone": "+00:00", "type": [ "info" @@ -202,6 +203,7 @@ } } }, + "message": "2022-03-03 10:11:58.749 +00:00 0000041146 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=823, SysStatsAcsProcessHealth= Database Listener=running, PID: 10823; Database Server=running, number of processes: 77; Application Server=running, PID: 2290499; Profiler Database=running, PID: 2286839; ISE Indexing Engine=running, PID: 2301459; AD Connector=running, PID: 27766; M\u0026T Session Database=running, PID: 2288787; M\u0026T Log Processor=running, PID: 2311300; Certificate Authority Service=running, PID: 2312538; EST Service=running, PID: 2326338; SXP Engine Service=running, PID: 1753095; PassiveID WMI Service=running, PID: 2989686; PassiveID Syslog Service=running, PID: 2990191; PassiveID API Service=running, PID: 2990809; PassiveID Agent Service=running, PID: 2991433; PassiveID Endpoint Service=running, PID: 2991940; PassiveID SPAN Service=running, PID: 2992442; DHCP Server (dhcpd)=disabled; DNS Server (named)=disabled; ISE Messaging Service=running, PID: 2322856; ISE API Gateway Database Service=running, PID: 2291381; ISE API Gateway Service=running, PID: 2299091; Segmentation Policy Service=disabled; REST Auth Service=disabled; SSE Connector=disabled; Hermes (pxGrid Cloud Agent)=disabled,", "related": { "ip": [ "81.2.69.143" @@ -310,8 +312,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000082992" + } } }, "ecs": { @@ -326,6 +327,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 3 10:08:59 isehost CISE_System_Statistics 0000082925 1 0 2022-03-03 10:08:59.797 +00:00 0000082992 70011 NOTICE System-Stats: ISE Counters, ConfigVersionId=1659, OperationCounters=Counter=16_MnTLogProcessorN:149,16_CAServiceN:41,16_CAServiceT:114946,16_MnTLogProcessorU:14,16_MnTLogProcessorT:720447,16_CAServiceU:2,17_vaEventsReceived:0,16_SyslogU:0,16_SyslogT:0,16_RMIT:0,16_RMIU:0,16_GuestN:0,17_threatEventsReceived:0,16_GuestU:0,16_GuestT:0,16_SyslogN:0,16_MisservicesU:0,4_HostName_Event_Fetch_FromAD:0,16_MisservicesT:0,16_MisservicesN:0,16_DBServerN:83,13_Protocol_Runtime_Context:-10,16_AdminWebappT:0,16_AdminWebappU:0,16_DBServerU:18,16_DBServerT:911373,16_JVMN:0,16_DBListenerU:0,16_AdminWebappN:0,16_DBListenerT:0,16_JVMT:0,16_BYODN:0,16_JVMU:0,16_BYODT:0,16_DBListenerN:0,16_BYODU:0,16_MessageQueueT:0,17_eventsReceived:0,16_MessageQueueU:0,4_Probe_Requests_Dropped:0,4_Probe_Requests_Received:0,4_ArpCache_InsertUpdate_Received:0,17_coaIssued:0,16_MessageQueueN:0,16_iowait:4,16_MnTSessionDBT:13624,16_MnTSessionDBU:0,16_TCNACMongoDBT:0,16_TCNACMongoDBU:0,16_MnTSessionDBN:18,16_TCNACMongoDBN:0,16_NSFN:0,16_ProfilerDatabaseN:4,16_ProfilerDatabaseT:83251,16_ProfilerDatabaseU:2,16_NSFU:0,16_NSFT:0,16_QuartzN:0,4_EndpointCache_InsertUpdate_Received:4,16_QuartzT:0,16_VADT:0,16_VADU:0,16_ProfilerN:0,16_ProfilerT:0,16_VADN:0,16_ProfilerU:0,16_VAServiceN:39,16_VAServiceU:10,16_RMIN:0,16_VAServiceT:531482,4_RadiusPacketsReceived:27,16_TCNACCoreU:0,16_TCNACCoreT:0,16_QuartzU:0,4_NMAP_ScanEvent_Query:0,16_TCNACCoreN:0,", + "sequence": 82992, "timezone": "+00:00", "type": [ "info" @@ -343,6 +345,7 @@ } } }, + "message": "2022-03-03 10:08:59.797 +00:00 0000082992 70011 NOTICE System-Stats: ISE Counters, ConfigVersionId=1659, OperationCounters=Counter=16_MnTLogProcessorN:149,16_CAServiceN:41,16_CAServiceT:114946,16_MnTLogProcessorU:14,16_MnTLogProcessorT:720447,16_CAServiceU:2,17_vaEventsReceived:0,16_SyslogU:0,16_SyslogT:0,16_RMIT:0,16_RMIU:0,16_GuestN:0,17_threatEventsReceived:0,16_GuestU:0,16_GuestT:0,16_SyslogN:0,16_MisservicesU:0,4_HostName_Event_Fetch_FromAD:0,16_MisservicesT:0,16_MisservicesN:0,16_DBServerN:83,13_Protocol_Runtime_Context:-10,16_AdminWebappT:0,16_AdminWebappU:0,16_DBServerU:18,16_DBServerT:911373,16_JVMN:0,16_DBListenerU:0,16_AdminWebappN:0,16_DBListenerT:0,16_JVMT:0,16_BYODN:0,16_JVMU:0,16_BYODT:0,16_DBListenerN:0,16_BYODU:0,16_MessageQueueT:0,17_eventsReceived:0,16_MessageQueueU:0,4_Probe_Requests_Dropped:0,4_Probe_Requests_Received:0,4_ArpCache_InsertUpdate_Received:0,17_coaIssued:0,16_MessageQueueN:0,16_iowait:4,16_MnTSessionDBT:13624,16_MnTSessionDBU:0,16_TCNACMongoDBT:0,16_TCNACMongoDBU:0,16_MnTSessionDBN:18,16_TCNACMongoDBN:0,16_NSFN:0,16_ProfilerDatabaseN:4,16_ProfilerDatabaseT:83251,16_ProfilerDatabaseU:2,16_NSFU:0,16_NSFT:0,16_QuartzN:0,4_EndpointCache_InsertUpdate_Received:4,16_QuartzT:0,16_VADT:0,16_VADU:0,16_ProfilerN:0,16_ProfilerT:0,16_VADN:0,16_ProfilerU:0,16_VAServiceN:39,16_VAServiceU:10,16_RMIN:0,16_VAServiceT:531482,4_RadiusPacketsReceived:27,16_TCNACCoreU:0,16_TCNACCoreT:0,16_QuartzU:0,4_NMAP_ScanEvent_Query:0,16_TCNACCoreN:0,", "related": { "hosts": [ "isehost" @@ -379,7 +382,6 @@ "number": 0, "total": 2 }, - "sequence_number": "0000087130", "sysstats": { "utilization": { "cpu": 6.59, @@ -417,6 +419,7 @@ ], "kind": "event", "original": "\u003c181\u003eMar 10 09:11:50 isehost CISE_System_Statistics 0000038759 2 0 2022-03-10 09:11:50.030 +00:00 0000087130 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1596, SysStatsUtilizationCpu=6.59%, SysStatsUtilizationNetwork=vethdd5866ef: rcvd = 515119; sent = 343427 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=eth0: rcvd = 2098280; sent = 3063878 ;rcvd_dropped = 137; sent_dropped = 0, SysStatsUtilizationNetwork=veth0879da2f: rcvd = 99385; sent = 67337 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=cni-podman2: rcvd = 47440; sent = 50301 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=55.09%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=3% /tmp, SysStatsUtilizationDiskSpace=18% /opt, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=18% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0,", + "sequence": 87130, "timezone": "+00:00", "type": [ "info" @@ -434,6 +437,7 @@ } } }, + "message": "2022-03-10 09:11:50.030 +00:00 0000087130 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=1596, SysStatsUtilizationCpu=6.59%, SysStatsUtilizationNetwork=vethdd5866ef: rcvd = 515119; sent = 343427 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=eth0: rcvd = 2098280; sent = 3063878 ;rcvd_dropped = 137; sent_dropped = 0, SysStatsUtilizationNetwork=veth0879da2f: rcvd = 99385; sent = 67337 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationNetwork=cni-podman2: rcvd = 47440; sent = 50301 ;rcvd_dropped = 0; sent_dropped = 0, SysStatsUtilizationMemory=55.09%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=12% /, SysStatsUtilizationDiskSpace=3% /tmp, SysStatsUtilizationDiskSpace=18% /opt, SysStatsUtilizationDiskSpace=17% /boot, SysStatsUtilizationDiskSpace=2% /storedconfig, SysStatsUtilizationDiskSpace=18% /opt/podman/containers/storage/overlay, AverageRadiusRequestLatency=0,", "related": { "hosts": [ "isehost" @@ -512,6 +516,7 @@ "priority": 181 } }, + "message": "AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.72, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11314, ActiveSessionCount=0,", "related": { "hosts": [ "isehost" @@ -583,6 +588,7 @@ "priority": 181 } }, + "message": "DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.62, SysStatsCpuCount=4, SysStatsProcessMemoryMB=11079, ActiveSessionCount=0,", "related": { "hosts": [ "isehost" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json index 927c7795f96..9e524208296 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json @@ -88,7 +88,6 @@ "service": "Device Admin - TACACS" } }, - "sequence_number": "0018415781", "service": { "argument": "shell", "name": "Login" @@ -122,6 +121,7 @@ ], "kind": "event", "original": "\u003c182\u003eFeb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415781, "timezone": "+00:00", "type": [ "info" @@ -139,6 +139,7 @@ } } }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=2962, AVPair.timezone=GMT, AVPair.start_time=1585185432, AVPair.priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ "cisco-ise-host" @@ -237,7 +238,6 @@ "service": "Device Admin - TACACS" } }, - "sequence_number": "0018415636", "service": { "argument": "shell", "name": "Login" @@ -272,6 +272,7 @@ ], "kind": "event", "original": "\u003c182\u003eFeb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415636 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AcctRequest-Flags=Start, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954422, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22083, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting647817909, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415636, "timezone": "+00:00", "type": [ "info" @@ -289,6 +290,7 @@ } } }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415636 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=35585, AVPair.timezone=GMT, AVPair.start_time=1585222245, AcctRequest-Flags=Start, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954422, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22083, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting647817909, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ "cisco-ise-host" @@ -403,7 +405,6 @@ "service": "Device Admin - TACACS" } }, - "sequence_number": "0018415932", "service": { "argument": "shell", "name": "Login" @@ -441,6 +442,7 @@ ], "kind": "event", "original": "\u003c182\u003eFeb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415932 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AVPair=disc-cause=1, AVPair=disc-cause-ext=9, AVPair=pre-session-time=0, AVPair=elapsed_time=127, AVPair=stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting2791676098, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;}", + "sequence": 18415932, "timezone": "+00:00", "type": [ "info" @@ -458,6 +460,7 @@ } } }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415932 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=35585, AVPair.timezone=GMT, AVPair.start_time=1585222245, AVPair.disc-cause=1, AVPair.disc-cause-ext=9, AVPair.pre-session-time=0, AVPair.elapsed_time=127, AVPair.stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting2791676098, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;}", "related": { "hosts": [ "cisco-ise-host" @@ -595,6 +598,7 @@ "priority": 182 } }, + "message": "ConfigVersionId=1856, Device IP Address=81.2.69.144, RequestLatency=6, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=35585, AVPair.timezone=GMT, AVPair.start_time=1585222245, AVPair.disc-cause=1, AVPair.disc-cause-ext=9, AVPair.pre-session-time=0, AVPair.elapsed_time=127, AVPair.stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;}", "related": { "hosts": [ "cisco-ise-host" diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json index 10ceb293a04..6fac46667c1 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json @@ -24,7 +24,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000001966", "status": "Active" } }, @@ -38,6 +37,7 @@ ], "kind": "event", "original": "\u003c182\u003eMar 16 06:41:58 cisco-ise-host CISE_Threat_Centric_NAC 0000001923 1 0 2021-03-16 06:41:58.957 +00:00 0000001966 91004 INFO IRF: Started adapter instance, ConfigVersionId=86, Details=Adapter Karnataka status/connectivity changed, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active,", + "sequence": 1966, "timezone": "+00:00", "type": [ "info" @@ -55,6 +55,7 @@ } } }, + "message": "2021-03-16 06:41:58.957 +00:00 0000001966 91004 INFO IRF: Started adapter instance, ConfigVersionId=86, Details=Adapter Karnataka status/connectivity changed, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active,", "related": { "hosts": [ "cisco-ise-host" @@ -89,7 +90,6 @@ "number": 0, "total": 1 }, - "sequence_number": "0000001981", "status": "Active" } }, @@ -103,6 +103,7 @@ ], "kind": "event", "original": "\u003c179\u003eMar 16 06:42:55 cisco-ise-host CISE_Threat_Centric_NAC 0000001938 1 0 2021-03-16 06:42:55.540 +00:00 0000001981 91018 ERROR IRF: Adapter connection failed, ConfigVersionId=86, Details=Adapter cannot connect to the server. Ensure that the server is reachable, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active, Connectivity=Disconnected,", + "sequence": 1981, "timezone": "+00:00", "type": [ "info" @@ -120,6 +121,7 @@ } } }, + "message": "2021-03-16 06:42:55.540 +00:00 0000001981 91018 ERROR IRF: Adapter connection failed, ConfigVersionId=86, Details=Adapter cannot connect to the server. Ensure that the server is reachable, AdapterInstanceName=Karnataka, AdapterInstanceUuid=1cb1a7e3-324a-4258-ab0e-5ce429589987, Status=Active, Connectivity=Disconnected,", "related": { "hosts": [ "cisco-ise-host" @@ -147,8 +149,7 @@ "segment": { "number": 0, "total": 1 - }, - "sequence_number": "0000038297" + } } }, "ecs": { @@ -161,6 +162,7 @@ ], "kind": "event", "original": "\u003c180\u003eMar 3 00:02:46 isehost CISE_Threat_Centric_NAC 0000038251 1 0 2022-03-03 00:02:46.341 +00:00 0000038297 91110 WARN RADIUS: One or more Active Directory diagnostic tests failed during a scheduled run., ConfigVersionId=749,", + "sequence": 38297, "timezone": "+00:00", "type": [ "info" @@ -178,6 +180,7 @@ } } }, + "message": "2022-03-03 00:02:46.341 +00:00 0000038297 91110 WARN RADIUS: One or more Active Directory diagnostic tests failed during a scheduled run., ConfigVersionId=749,", "related": { "hosts": [ "isehost" @@ -224,6 +227,7 @@ "priority": 180 } }, + "message": "ConfigVersionId=749,", "related": { "hosts": [ "isehost" diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 1e9163ce3e3..f4011d31a01 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -11,9 +11,10 @@ processors: - grok: field: event.original patterns: - - "<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{DATA:cisco_ise.log.message.id} %{DATA:cisco_ise.log.segment.total:long} %{DATA:cisco_ise.log.segment.number:long} %{GREEDYDATA:remaining_message}" + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{ISO8601_TIMEZONE:_tmp.timezone} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{DATA:cisco_ise.log.message.id} %{DATA:cisco_ise.log.segment.total:long} %{DATA:cisco_ise.log.segment.number:long} %{GREEDYDATA:message}$" + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{DATA:cisco_ise.log.message.id} %{DATA:cisco_ise.log.segment.total:long} %{DATA:cisco_ise.log.segment.number:long} %{GREEDYDATA:message}$" - trim: - field: remaining_message + field: message ignore_failure: true - convert: field: host.hostname @@ -25,22 +26,33 @@ processors: if: ctx?.host?.ip != null - append: field: related.ip - value: "{{{host.ip}}}" - if: ctx.host.ip != null + value: '{{{host.ip}}}' + if: ctx?.host?.ip != null ignore_failure: true - append: field: related.hosts - value: "{{{host.hostname}}}" - if: ctx.host.hostname != null + value: '{{{host.hostname}}}' + if: ctx?.host?.hostname != null ignore_failure: true + - rename: + field: _tmp.timezone + target_field: event.timezone + ignore_missing: true - date: field: _tmp.timestamp - target_field: '@timestamp' formats: - MMM d HH:mm:ss - MMM dd HH:mm:ss - MMM d HH:mm:ss ignore_failure: true + - date: + if: ctx?.event?.timezone != null + field: _tmp.timestamp + timezone: '{{{event.timezone}}}' + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss - pipeline: name: '{{ IngestPipeline "pipeline_policy_diagnostics" }}' if: ctx?.cisco_ise?.log?.category?.name == "CISE_Policy_Diagnostics" @@ -97,8 +109,7 @@ processors: copy_from: log.syslog.severity.name ignore_empty_value: true - remove: - field: - - remaining_message + field: - _tmp ignore_missing: true - remove: @@ -125,4 +136,4 @@ processors: on_failure: - set: field: error.message - value: "{{{ _ingest.on_failure_message }}}" + value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml index 03bcbf6f7b4..ed7649cf502 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml @@ -4,15 +4,15 @@ processors: field: event.kind value: event - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - trim: field: cisco_ise.log.log_details ignore_failure: true @@ -47,12 +47,12 @@ processors: ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); - gsub: field: cisco_ise.log.log_details - pattern: "\\\\," + pattern: \\, replacement: "" - kv: field: cisco_ise.log.log_details - field_split: ", " - value_split: "=" + field_split: ', ' + value_split: = ignore_failure: true - date: field: _tmp.timestamp @@ -60,7 +60,7 @@ processors: formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - convert: field: ConfigVersionId @@ -93,7 +93,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: "{{{cisco_ise.log.ad.hostname}}}" + value: '{{{cisco_ise.log.ad.hostname}}}' if: ctx?.cisco_ise?.log?.ad?.hostname != null allow_duplicates: false ignore_failure: true @@ -104,7 +104,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{cisco_ise.log.ad.ip}}}" + value: '{{{cisco_ise.log.ad.ip}}}' if: ctx?.cisco_ise?.log?.ad?.ip != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml index b73cfc38237..8c8e8086149 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml @@ -4,40 +4,40 @@ processors: field: event.kind value: event - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - grok: field: cisco_ise.log.log_details - if: ctx.cisco_ise.log.message.code == "60067" + if: ctx?.cisco_ise?.log?.message?.code == "60067" ignore_failure: true patterns: - "ConfigVersionId=%{DATA:ConfigVersionId}, OperationMessageText={%{DATA:OperationMessageText}}" - grok: field: cisco_ise.log.log_details - if: '["61025", "61026"].contains(ctx.cisco_ise.log.message.code)' + if: '["61025", "61026"].contains(ctx?.cisco_ise?.log?.message?.code)' patterns: - "ConfigVersionId=%{DATA:ConfigVersionId}, AdminInterface=%{DATA:AdminInterface}, AdminIPAddress=%{DATA:AdminIPAddress}, , OperationMessageText=%{DATA:OperationMessageText}, AcsInstance=%{GREEDYDATA:AcsInstance}" on_failure: - kv: field: cisco_ise.log.log_details - field_split: ", " + field_split: ', ' value_split: = - grok: field: cisco_ise.log.log_details - if: ctx.cisco_ise.log.message.code == "52001" + if: ctx?.cisco_ise?.log?.message?.code == "52001" ignore_failure: true patterns: - "ConfigVersionId=%{DATA:ConfigVersionId}, FailureFlag=%{DATA:FailureFlag}, RequestResponseType=%{DATA:RequestResponseType}, AdminInterface=%{DATA:AdminInterface}, AdminIPAddress=%{DATA:AdminIPAddress}, AdminName=%{DATA:AdminName}, %{GREEDYDATA:log_detail}" - grok: field: log_detail - if: ctx.cisco_ise.log.message.code == "52001" + if: ctx?.cisco_ise?.log?.message?.code == "52001" ignore_failure: true patterns: - "ConfigChangeData=%{DATA:ConfigChangeData}, ObjectType=%{DATA:ObjectType}, ObjectName=%{DATA:ObjectName}, Component=%{DATA:Component}, ObjectInternalID=%{GREEDYDATA:ObjectInternalID}" @@ -46,19 +46,19 @@ processors: - "ConfigChangeData=%{DATA:ConfigChangeData}, ObjectType=%{DATA:ObjectType}, ObjectName=%{GREEDYDATA:ObjectName}" - grok: field: ConfigChangeData - if: ctx.cisco_ise.log.message.code == "52001" + if: ctx?.cisco_ise?.log?.message?.code == "52001" ignore_failure: true patterns: - - "%{DATA:_tmp.temp}, Log Severity Level = %{DATA:LogSeverityLevel}\\\\,Local Logging = %{DATA:LocalLogging}\\\\,Assigned Targets = {%{DATA:AssignedTargets}}" + - "^%{DATA:_tmp.temp}, Log Severity Level = %{DATA:LogSeverityLevel}\\\\,Local Logging = %{DATA:LocalLogging}\\\\,Assigned Targets = {%{DATA:AssignedTargets}}" - grok: field: cisco_ise.log.log_details - if: ctx.cisco_ise.log.message.code == "52002" + if: ctx?.cisco_ise?.log?.message?.code == "52002" ignore_failure: true patterns: - "ConfigVersionId=%{DATA:ConfigVersionId}, AdminInterface=%{DATA:AdminInterface}, AdminIPAddress=%{DATA:AdminIPAddress}, %{GREEDYDATA:log_detail}" - grok: field: log_detail - if: ctx.cisco_ise.log.message.code == "52002" + if: ctx?.cisco_ise?.log?.message?.code == "52002" ignore_failure: true patterns: - "AdminSession=%{DATA:AdminSession}, AdminName=%{DATA:AdminName}, ConfigChangeData=%{GREEDYDATA:ConfigChangeData}" @@ -67,42 +67,42 @@ processors: on_failure: - kv: field: cisco_ise.log.log_details - field_split: ", " + field_split: ', ' value_split: = - kv: field: log_description - field_split: ", " + field_split: ', ' value_split: = ignore_failure: true - grok: field: ConfigChangeData - if: ctx.cisco_ise.log.message.code == "52002" + if: ctx?.cisco_ise?.log?.message?.code == "52002" ignore_failure: true patterns: - - "%{DATA:_tmp.temp}, %{GREEDYDATA:_tmp.ConfigChangeData}" + - "^%{DATA:_tmp.temp}, %{GREEDYDATA:_tmp.ConfigChangeData}" - kv: field: _tmp.ConfigChangeData - if: ctx.cisco_ise.log.message.code == "52002" - field_split: ", " + if: ctx?.cisco_ise?.log?.message?.code == "52002" + field_split: ', ' value_split: = ignore_failure: true - kv: if: '!["60067", "61025", "61026", "52001", "52002"].contains(ctx.cisco_ise.log.message.code)' field: cisco_ise.log.log_details - field_split: ", " + field_split: ', ' value_split: = ignore_failure: true - kv: - if: ctx.cisco_ise.log.message.code == "60067" + if: ctx?.cisco_ise?.log?.message?.code == "60067" field: OperationMessageText - field_split: ", " + field_split: ', ' value_split: = ignore_failure: true - split: field: AssignedTargets target_field: cisco_ise.log.assigned_targets - separator: "," - if: ctx.cisco_ise.log.message.code == "52001" + separator: ',' + if: ctx?.cisco_ise?.log?.message?.code == "52001" ignore_failure: true - date: field: _tmp.timestamp @@ -110,7 +110,7 @@ processors: formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - script: lang: painless @@ -165,7 +165,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{client.ip}}}" + value: '{{{client.ip}}}' if: ctx?.client?.ip != null allow_duplicates: false ignore_failure: true @@ -175,7 +175,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{{client.user.name}}}" + value: '{{{client.user.name}}}' if: ctx?.client?.user?.name != null allow_duplicates: false ignore_failure: true @@ -273,7 +273,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{host.ip}}}" + value: '{{{host.ip}}}' if: ctx?.host?.ip != null allow_duplicates: false ignore_failure: true @@ -299,8 +299,8 @@ processors: ignore_missing: true - append: field: related.hosts - value: "{{{PsnHostName}}}" - if: ctx.PsnHostName != null && ctx.PsnHostName != "" + value: '{{{PsnHostName}}}' + if: ctx?.PsnHostName != null && ctx?.PsnHostName != '' allow_duplicates: false ignore_failure: true - rename: @@ -322,7 +322,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{{user.name}}}" + value: '{{{user.name}}}' if: ctx?.user?.name != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml index 85f581d28e7..9e5648b26f3 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml @@ -7,26 +7,26 @@ processors: field: event.type value: [info] - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - '%{GREEDYDATA:cisco_ise.log.log_details},' - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - kv: field: cisco_ise.log.log_details - field_split: ", " + field_split: ', ' value_split: = ignore_failure: true - dissect: @@ -36,7 +36,7 @@ processors: - kv: field: _tmp.response target_field: cisco_ise.log.response - field_split: "; " + field_split: '; ' value_split: = ignore_failure: true - script: @@ -91,7 +91,7 @@ processors: - append: field: related.ip value: "{{{DestinationIPAddress}}}" - if: ctx.DestinationIPAddress != null + if: ctx?.DestinationIPAddress != null allow_duplicates: false ignore_failure: true - convert: @@ -101,20 +101,20 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{cisco_ise.log.nas.ip}}}" + value: '{{{cisco_ise.log.nas.ip}}}' if: ctx?.cisco_ise?.log?.nas?.ip != null allow_duplicates: false ignore_failure: true - append: field: user.name - value: "{{{OriginalUserName}}}" - if: ctx.OriginalUserName != null + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null allow_duplicates: false ignore_failure: true - append: field: related.user - value: "{{{OriginalUserName}}}" - if: ctx.OriginalUserName != null + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null allow_duplicates: false ignore_failure: true - rename: @@ -123,14 +123,14 @@ processors: ignore_missing: true - append: field: user.name - value: "{{{UserName}}}" - if: ctx.UserName != null + value: '{{{UserName}}}' + if: ctx?.UserName != null allow_duplicates: false ignore_failure: true - append: field: related.user - value: "{{{UserName}}}" - if: ctx.UserName != null + value: '{{{UserName}}}' + if: ctx?.UserName != null allow_duplicates: false ignore_failure: true - convert: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml index f282b0bec1f..5700ac03fdd 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml @@ -4,22 +4,22 @@ processors: field: event.kind value: event - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - script: lang: painless @@ -53,8 +53,8 @@ processors: ctx.event.type = eventType; - kv: field: cisco_ise.log.log_details - field_split: ", " - value_split: "=" + field_split: ', ' + value_split: = ignore_failure: true - dissect: field: Response @@ -63,7 +63,7 @@ processors: - kv: field: _tmp.response target_field: cisco_ise.log.response - field_split: "; " + field_split: '; ' value_split: = ignore_failure: true - rename: @@ -158,7 +158,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{cisco_ise.log.framed.ip}}}" + value: '{{{cisco_ise.log.framed.ip}}}' if: ctx?.cisco_ise?.log?.framed?.ip != null allow_duplicates: false ignore_failure: true @@ -191,7 +191,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{cisco_ise.log.nas.ip}}}" + value: '{{{cisco_ise.log.nas.ip}}}' if: ctx?.cisco_ise?.log?.nas?.ip != null allow_duplicates: false ignore_failure: true @@ -252,7 +252,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{destination.ip}}}" + value: '{{{destination.ip}}}' if: ctx?.destination?.ip != null allow_duplicates: false ignore_failure: true @@ -268,7 +268,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{client.ip}}}" + value: '{{{client.ip}}}' if: ctx?.client?.ip != null allow_duplicates: false ignore_failure: true @@ -296,7 +296,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{source.ip}}}" + value: '{{{source.ip}}}' if: ctx?.source?.ip != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml index 3aa016045f1..c49664a6b77 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml @@ -10,27 +10,27 @@ processors: field: event.type value: [info] - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - kv: field: cisco_ise.log.log_details - field_split: ", " - value_split: "=" + field_split: ', ' + value_split: = ignore_failure: true - script: lang: painless @@ -52,7 +52,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{{user.name}}}" + value: '{{{user.name}}}' if: ctx?.user?.name != null allow_duplicates: false ignore_failure: true @@ -63,7 +63,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{source.ip}}}" + value: '{{{source.ip}}}' if: ctx?.source?.ip != null allow_duplicates: false ignore_failure: true @@ -98,7 +98,7 @@ processors: ignore_missing: true - append: field: related.user.name - value: "{{{cisco_ise.log.guest.user.name}}}" + value: '{{{cisco_ise.log.guest.user.name}}}' if: ctx?.cisco_ise?.log?.guest?.user?.name != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml index 66c17cb691a..e70181f8e2b 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml @@ -4,22 +4,22 @@ processors: field: event.kind value: event - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - script: lang: painless @@ -59,8 +59,8 @@ processors: ignore_failure: true - kv: field: cisco_ise.log.log_details - field_split: ", " - value_split: "=" + field_split: ', ' + value_split: = ignore_failure: true - dissect: field: Response @@ -69,7 +69,7 @@ processors: - kv: field: _tmp.response target_field: cisco_ise.log.response - field_split: "; " + field_split: '; ' value_split: = ignore_failure: true - convert: @@ -83,7 +83,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{{user.name}}}" + value: '{{{user.name}}}' if: ctx?.user?.name != null allow_duplicates: false ignore_failure: true @@ -117,13 +117,13 @@ processors: ignore_missing: true - append: field: user.full_name - value: "{{{Firstname}}}" + value: '{{{Firstname}}}' if: ctx?.Firstname != null allow_duplicates: false ignore_failure: true - append: field: user.full_name - value: "{{{Lastname}}}" + value: '{{{Lastname}}}' if: ctx?.Lastname != null allow_duplicates: false ignore_failure: true @@ -133,7 +133,7 @@ processors: ignore_missing: true - append: field: user.name - value: "{{{cisco_ise.log.original.user.name}}}" + value: '{{{cisco_ise.log.original.user.name}}}' if: ctx?.cisco_ise?.log?.original?.user?.name != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml index e721e6dd64c..8f14c3ed789 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml @@ -7,22 +7,22 @@ processors: field: event.type value: [info] - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - script: lang: painless @@ -47,8 +47,8 @@ processors: ctx.event.category = eventCategory; - kv: field: cisco_ise.log.log_details - field_split: ", " - value_split: "=" + field_split: ', ' + value_split: = ignore_failure: true - convert: field: ConfigVersionId diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml index 905fa6ffa87..cbbcafd8f90 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml @@ -10,27 +10,27 @@ processors: field: event.type value: [info] - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - kv: field: cisco_ise.log.log_details - field_split: ", " - value_split: "=" + field_split: ', ' + value_split: = ignore_failure: true - script: lang: painless @@ -48,7 +48,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{{user.name}}}" + value: '{{{user.name}}}' if: ctx?.user?.name != null allow_duplicates: false ignore_failure: true @@ -59,7 +59,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{source.ip}}}" + value: '{{{source.ip}}}' if: ctx?.source?.ip != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml index 16c5829c726..bbfb3b66eb8 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml @@ -4,22 +4,22 @@ processors: field: event.kind value: event - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - script: lang: painless @@ -50,8 +50,8 @@ processors: ctx.event.type = eventType; - kv: field: cisco_ise.log.log_details - field_split: ", " - value_split: "=" + field_split: ', ' + value_split: = ignore_failure: true - dissect: field: Response @@ -60,7 +60,7 @@ processors: - kv: field: _tmp.response target_field: cisco_ise.log.response - field_split: "; " + field_split: '; ' value_split: = ignore_failure: true - rename: @@ -171,7 +171,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{source.ip}}}" + value: '{{{source.ip}}}' if: ctx?.source?.ip != null allow_duplicates: false ignore_failure: true @@ -207,7 +207,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{cisco_ise.log.nas.ip}}}" + value: '{{{cisco_ise.log.nas.ip}}}' if: ctx?.cisco_ise?.log?.nas?.ip != null allow_duplicates: false ignore_failure: true @@ -313,7 +313,7 @@ processors: ignore_missing: true - append: field: user.name - value: "{{{OriginalUserName}}}" + value: '{{{OriginalUserName}}}' if: ctx?.OriginalUserName != null allow_duplicates: false ignore_failure: true @@ -324,7 +324,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{destination.ip}}}" + value: '{{{destination.ip}}}' if: ctx?.destination?.ip != null allow_duplicates: false ignore_failure: true @@ -340,7 +340,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{client.ip}}}" + value: '{{{client.ip}}}' if: ctx?.client?.ip != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml index 20a36ffea1a..3c16394e986 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml @@ -10,27 +10,27 @@ processors: field: event.type value: [info] - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - kv: field: cisco_ise.log.log_details - field_split: ", " - value_split: "=" + field_split: ', ' + value_split: = ignore_failure: true - script: lang: painless @@ -49,7 +49,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{client.ip}}}" + value: '{{{client.ip}}}' if: ctx?.client?.ip != null allow_duplicates: false ignore_failure: true @@ -97,14 +97,14 @@ processors: ignore_missing: true - append: field: user.name - value: "{{{OriginalUserName}}}" - if: ctx.OriginalUserName != null + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null allow_duplicates: false ignore_failure: true - append: field: related.user - value: "{{{OriginalUserName}}}" - if: ctx.OriginalUserName != null + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null allow_duplicates: false ignore_failure: true - rename: @@ -117,14 +117,14 @@ processors: ignore_missing: true - append: field: user.name - value: "{{{UserName}}}" - if: ctx.UserName != null + value: '{{{UserName}}}' + if: ctx?.UserName != null allow_duplicates: false ignore_failure: true - append: field: related.user - value: "{{{UserName}}}" - if: ctx.UserName != null + value: '{{{UserName}}}' + if: ctx?.UserName != null allow_duplicates: false ignore_failure: true - rename: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml index 5040fab9a4e..8e3f28ef059 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml @@ -10,26 +10,26 @@ processors: field: event.type value: [info] - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - kv: field: cisco_ise.log.log_details - field_split: ", " + field_split: ', ' value_split: = ignore_failure: true - script: @@ -60,7 +60,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{{client.user.name}}}" + value: '{{{client.user.name}}}' if: ctx?.client?.user?.name != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml index 87ce2458ee6..fbbf1874ecd 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml @@ -10,26 +10,26 @@ processors: field: event.type value: [info] - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - kv: field: cisco_ise.log.log_details - field_split: ", " + field_split: ', ' value_split: = ignore_failure: true - script: @@ -49,7 +49,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{client.ip}}}" + value: '{{{client.ip}}}' if: ctx?.client?.ip != null allow_duplicates: false ignore_failure: true @@ -68,7 +68,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{{user.name}}}" + value: '{{{user.name}}}' if: ctx?.user?.name != null allow_duplicates: false ignore_failure: true @@ -79,7 +79,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{cisco_ise.log.nas.ip}}}" + value: '{{{cisco_ise.log.nas.ip}}}' if: ctx?.cisco_ise?.log?.nas?.ip != null allow_duplicates: false ignore_failure: true @@ -95,7 +95,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{cisco_ise.log.framed.ip}}}" + value: '{{{cisco_ise.log.framed.ip}}}' if: ctx?.cisco_ise?.log?.framed?.ip != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml index 127441f48f1..d89787b48a7 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml @@ -4,27 +4,27 @@ processors: field: event.kind value: event - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, %{GREEDYDATA:cisco_ise.log.log_details}," - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - set: field: cisco_ise.log.message.description value: "RADIUS: An Access-Request MUST contain at least a NAS-IP-Address NAS-IPv6-Address, or a NAS-Identifier; Continue processing" - if: ctx.cisco_ise?.log?.message?.code == "11015" + if: ctx?.cisco_ise?.log?.message?.code == "11015" - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - script: lang: painless @@ -61,12 +61,12 @@ processors: ctx.event.type = eventType; - gsub: field: cisco_ise.log.log_details - pattern: "\\\\," - replacement: "" + pattern: \\, + replacement: '' - kv: field: cisco_ise.log.log_details - field_split: ", " - value_split: "=" + field_split: ', ' + value_split: = ignore_failure: true - dissect: field: Response @@ -75,7 +75,7 @@ processors: - kv: field: _tmp.response target_field: cisco_ise.log.response - field_split: "; " + field_split: '; ' value_split: = ignore_failure: true - rename: @@ -127,7 +127,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{cisco_ise.log.nas.ip}}}" + value: '{{{cisco_ise.log.nas.ip}}}' if: ctx?.cisco_ise?.log?.nas?.ip != null allow_duplicates: false ignore_failure: true @@ -181,7 +181,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{destination.ip}}}" + value: '{{{destination.ip}}}' if: ctx?.destination?.ip != null allow_duplicates: false ignore_failure: true @@ -197,7 +197,7 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{{client.ip}}}" + value: '{{{client.ip}}}' if: ctx?.client?.ip != null allow_duplicates: false ignore_failure: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml index 4d1b4de0ab2..3832191710e 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml @@ -10,42 +10,42 @@ processors: field: event.type value: [info] - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - grok: field: cisco_ise.log.log_details - if: ctx.cisco_ise.log.message.code == "70001" + if: ctx?.cisco_ise?.log?.message?.code == "70001" patterns: - - "ConfigVersionId=%{DATA:ConfigVersionId}, SysStatsAcsProcessHealth= %{GREEDYDATA:_tmp.SysStatsAcsProcessHealth}" + - "^ConfigVersionId=%{DATA:ConfigVersionId}, SysStatsAcsProcessHealth= %{GREEDYDATA:_tmp.SysStatsAcsProcessHealth}" - kv: - if: ctx.cisco_ise.log.message.code == "70001" + if: ctx?.cisco_ise?.log?.message?.code == "70001" field: _tmp.SysStatsAcsProcessHealth target_field: SysStatsAcsProcessHealth - field_split: "; " + field_split: '; ' value_split: = ignore_failure: true - kv: - if: ctx.cisco_ise.log.message.code != "70001" + if: ctx?.cisco_ise?.log?.message?.code != "70001" field: cisco_ise.log.log_details - field_split: ", " + field_split: ', ' value_split: = ignore_failure: true - kv: field: OperationCounters target_field: _tmp - field_split: ", " + field_split: ', ' value_split: = - if: ctx.cisco_ise.log.message.code == "70011" + if: ctx?.cisco_ise?.log?.message?.code == "70011" ignore_failure: true - kv: - if: ctx.cisco_ise.log.message.code == "70011" + if: ctx?.cisco_ise?.log?.message?.code == "70011" field: _tmp.Counter target_field: Counters field_split: "," @@ -53,14 +53,14 @@ processors: ignore_failure: true - remove: field: OperationCounters - if: ctx.Counters != null + if: ctx?.Counters != null - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - script: lang: painless @@ -131,8 +131,8 @@ processors: ignore_failure: true - gsub: field: SysStatsUtilizationCpu - pattern: "%" - replacement: "" + pattern: '%' + replacement: '' ignore_missing: true - convert: field: SysStatsUtilizationCpu @@ -141,8 +141,8 @@ processors: ignore_failure: true - gsub: field: SysStatsUtilizationDiskIO - pattern: "%" - replacement: "" + pattern: '%' + replacement: '' ignore_missing: true - convert: field: SysStatsUtilizationDiskIO @@ -160,8 +160,8 @@ processors: ignore_failure: true - gsub: field: SysStatsUtilizationMemory - pattern: "%" - replacement: "" + pattern: '%' + replacement: '' ignore_missing: true - convert: field: SysStatsUtilizationMemory diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml index 6ec957f3256..839a9c4bb92 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml @@ -10,31 +10,31 @@ processors: field: event.type value: [info] - gsub: - field: remaining_message + field: message pattern: 'AVPair=' replacement: 'AVPair.' ignore_missing: true - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - kv: field: cisco_ise.log.log_details - field_split: ", " + field_split: ', ' value_split: = ignore_failure: true - script: @@ -54,7 +54,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{client.ip}}}" + value: '{{{client.ip}}}' if: ctx?.client?.ip != null allow_duplicates: false ignore_failure: true @@ -90,7 +90,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{{user.name}}}" + value: '{{{user.name}}}' if: ctx?.user?.name != null allow_duplicates: false ignore_failure: true @@ -105,7 +105,7 @@ processors: ignore_failure: true - append: field: related.ip - value: "{{{destination.ip}}}" + value: '{{{destination.ip}}}' if: ctx?.destination?.ip != null allow_duplicates: false ignore_failure: true @@ -220,7 +220,7 @@ processors: - kv: field: _tmp.response target_field: cisco_ise.log.response - field_split: "; " + field_split: '; ' value_split: = ignore_failure: true - remove: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml index 3a37096e808..54768dfc50e 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml @@ -7,22 +7,22 @@ processors: field: event.type value: [info] - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number == 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 patterns: - - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:cisco_ise.log.sequence_number} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," - grok: - field: remaining_message - if: ctx.cisco_ise.log.segment.number > 0 + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 patterns: - - "%{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{GREEDYDATA:cisco_ise.log.log_details}," - date: field: _tmp.timestamp target_field: '@timestamp' formats: - yyyy-MM-dd HH:mm:ss.SSS - yyyy-MM-dd HH:mm:ss.SSSSSS - timezone: "{{{event.timezone}}}" + timezone: '{{{event.timezone}}}' ignore_failure: true - script: lang: painless @@ -42,7 +42,7 @@ processors: ctx.event.category = eventCategory; - kv: field: cisco_ise.log.log_details - field_split: ", " + field_split: ', ' value_split: = ignore_failure: true - convert: diff --git a/packages/cisco_ise/data_stream/log/fields/ecs.yml b/packages/cisco_ise/data_stream/log/fields/ecs.yml index e3596f59b62..078f39d3eae 100644 --- a/packages/cisco_ise/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ise/data_stream/log/fields/ecs.yml @@ -10,6 +10,8 @@ name: destination.port - external: ecs name: ecs.version +- external: ecs + name: event.sequence - external: ecs name: host.hostname - external: ecs @@ -22,6 +24,8 @@ name: log.syslog.priority - external: ecs name: log.syslog.severity.name +- external: ecs + name: message - external: ecs name: network.protocol - external: ecs diff --git a/packages/cisco_ise/data_stream/log/fields/fields.yml b/packages/cisco_ise/data_stream/log/fields/fields.yml index 0612322a838..2426988f9f0 100644 --- a/packages/cisco_ise/data_stream/log/fields/fields.yml +++ b/packages/cisco_ise/data_stream/log/fields/fields.yml @@ -690,8 +690,6 @@ fields: - name: profiles type: keyword - - name: sequence_number - type: keyword - name: sequence type: group fields: diff --git a/packages/cisco_ise/data_stream/log/sample_event.json b/packages/cisco_ise/data_stream/log/sample_event.json index 9cb80f56f54..f4524cb7412 100644 --- a/packages/cisco_ise/data_stream/log/sample_event.json +++ b/packages/cisco_ise/data_stream/log/sample_event.json @@ -1,71 +1,147 @@ { - "@timestamp": "2022-03-03T10:42:25.842Z", + "@timestamp": "2020-02-21T19:13:08.328Z", "agent": { - "ephemeral_id": "ee8c5c05-6c17-476c-af50-7e1aabb3d98d", - "id": "f81b0fc1-f2c5-45e6-8f5d-2e969313b9b4", + "ephemeral_id": "868c4a5a-ab3d-44f9-b28c-dd0da1bd08f8", + "id": "882c1c63-68d0-49f9-8411-0e89960d3b00", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.3.0" }, "cisco_ise": { "log": { - "ad": { - "admin": "ise.host.local", - "domain": { - "controller": "host.local", - "name": "host.local" - }, - "error": { - "details": "The user account is invalid" - }, - "forest": "host.local", - "hostname": "cisco-ise-host@host.local", - "ip": "89.160.20.156", - "log_id": "1645524126/47", - "site": "Default-First-Site-Name" + "acct": { + "request": { + "flags": "Stop" + } + }, + "acs": { + "session": { + "id": "ldnnacpsn1/359344348/952729" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": 2962, + "timezone": "GMT" }, "category": { - "name": "CISE_AD_Connector" + "name": "CISE_TACACS_Accounting" + }, + "cmdset": "[ CmdAV=show mac-address-table \u003ccr\u003e ]", + "config_version": { + "id": 1829 + }, + "cpm": { + "session": { + "id": "81.2.69.144Accounting306034364" + } }, - "log_details": "AD-Admin=ise.host.local, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Error-Details=The user account is invalid, AD-Forest=host.local, AD-Hostname=cisco-ise-host@host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/47, AD-Organization-Unit=, AD-Site=Default-First-Site-Name", + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] + }, + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], "message": { - "code": "25012", - "description": "AD-Connector: Domain join failed", - "id": "0000083094" + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" + ], + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] + } + }, + "port": "tty10", + "privilege": { + "level": 15 + }, + "request": { + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" }, "segment": { "number": 0, - "total": 1 + "total": 4 + }, + "selected": { + "access": { + "service": "Device Admin - TACACS" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" }, - "sequence_number": "0000083161" + "step": [ + "13006", + "15049", + "15008", + "15048", + "13035" + ], + "type": "Accounting" } }, + "client": { + "ip": "81.2.69.144" + }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.144" + }, "ecs": { "version": "8.0.0" }, "elastic_agent": { - "id": "f81b0fc1-f2c5-45e6-8f5d-2e969313b9b4", - "snapshot": false, - "version": "8.0.0" + "id": "882c1c63-68d0-49f9-8411-0e89960d3b00", + "snapshot": true, + "version": "8.3.0" }, "event": { - "action": "ad-connector", + "action": "tacacs-accounting", "agent_id_status": "verified", "category": [ - "authentication" + "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2022-03-15T10:03:12Z", + "ingested": "2022-04-15T15:33:23Z", "kind": "event", + "sequence": 18415781, "timezone": "+00:00", "type": [ - "info", - "end" + "info" ] }, "host": { @@ -75,28 +151,34 @@ "type": "tcp" }, "log": { - "level": "warn", + "level": "notice", "source": { - "address": "192.168.112.6:52648" + "address": "172.25.0.1:51632" }, "syslog": { - "priority": 180, + "priority": 182, "severity": { - "name": "warn" + "name": "notice" } } }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=2962, AVPair.timezone=GMT, AVPair.start_time=1585185432, AVPair.priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ - "cisco-ise-host", - "cisco-ise-host@host.local" + "cisco-ise-host" ], "ip": [ - "89.160.20.156" + "81.2.69.144" + ], + "user": [ + "psxvne" ] }, "tags": [ "forwarded", "cisco_ise-log" - ] + ], + "user": { + "name": "psxvne" + } } \ No newline at end of file diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index 6e65e45ce94..0d230dae049 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -1,6 +1,6 @@ # Cisco ISE -The Cisco ISE integration collects and parses data from Cisco ISE using TCP/UDP. +The Cisco ISE ([More info](https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html)) integration collects and parses data from Cisco ISE using TCP/UDP. ## Compatibility @@ -25,6 +25,8 @@ This module has been tested against `Cisco ISE server version 3.1.0.518`. ## Logs +Reference link for Cisco ISE Syslog: [Here](https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html) + ### log This is the `log` dataset. @@ -314,7 +316,6 @@ An example event for `log` looks as following: | cisco_ise.log.selected.authentication.identity_stores | | keyword | | cisco_ise.log.selected.authorization.profiles | | keyword | | cisco_ise.log.sequence.number | | long | -| cisco_ise.log.sequence_number | | keyword | | cisco_ise.log.server.name | | keyword | | cisco_ise.log.server.type | | keyword | | cisco_ise.log.service.argument | | keyword | @@ -376,6 +377,7 @@ An example event for `log` looks as following: | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | @@ -400,6 +402,7 @@ An example event for `log` looks as following: | log.source.address | Source address from which the log event was read / sent from. | keyword | | log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | | log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip |