Integrating ISE with Splunk for Reporting

This post is going to be a bit different. I'm configuring Splunk in my lab currently for reporting and as I go through it, I'm going to detail my configurations here. I am going to use Splunk to aggregate my ISE logs to it. In order to do so, we're going to have to install the Spunk for Identity Services (ISE) app onto Splunk. Before starting, please download the app from here.

Before we begin making any configuration changes on ISE, we're going to need to install the app on Splunk. After you sign into Splunk, "Apps" should be on the top left corner of the page. Click on the gear icon next to it. 

You should now be on the Apps page. Click on the button state says "Install app from file."


This is where you will have to upload the Identity Services app that you downloaded. After you click Upload, you should be prompted to restart the Splunk services. Go ahead and do so.

While Splunk's services are restarting, let's go ahead and configure ISE to send certain syslog data over to Splunk. Log into your ISE instance and navigate to Administration>System>Logging>Remote Logging Targets and click Add. We are going to create a remote logging target for our Splunk server.

For the remote logging target, configure the following:

  • Name: <Whatever you choose>
  • IP/Host Adddress: <Splunk Server>
  • Port: 514
  • Maximum Length: 8192
  • Status: Enabled

Click Save when complete.

While still in ISE, navigate to Administration>System>Logging>Logging Categories and add your new logging target to the following categories:

  • AAA Audit
  • Failed Attempts
  • Passed Authentications
  • AAA Diagnostics
  • Accounting
  • RADIUS Accounting
  • Administrative and Operational Audit
  • Posture and Client Provisioning Audit
  • Posture and Client Provisioning Diagnostics
  • External MDM
  • Profiler
  • System Diagnostics
  • System Statistics

After you have completed this, log back into Splunk. On the main dashboard, there is an option to Add Data. Click on it.

On the next page, choose Monitor since we're going to monitor a port coming in from a certain IP address (ISE).

On the next page, choose TCP/UDP from the lefthand panel. 

From here, choose the following:

  • UDP
  • Port: 514
  • Only accept connections from <ISE-IP>

Click Next

On the next page, choose the following and leave everything else at it's default:

  • Sourcetype: cisco:ise:syslog
  • Host: IP

Click Review and then click Submit.

Go back to the main Splunk dashboard and then click on Cisco ISE on the side to pull up the ISE dashboard. 

At this point, you should be pulling up information which might look similar to this:


One thing I have noticed with the ISE app is that there will be some pages that show a error and won't render the data because the eventtype of 'cisco-ise' is missing. It will look similar to this:

While it's a little on the annoying side, it's actually very easy to permanently fix on these dashboard. Click on the Edit button on the top lefthand corner of the offending dashboard to edit the search for the different widgets. 

After you click edit, there should be a magnifying glass icon on each widget. Click on that to pull up the search criteria of each widget.

Delete eventtype=cisco-ise out of the search and replace it with sourcetype=cisco:ise:syslog. As soon as you save the widget, you should see data start to render. Once you save the entire dashboard after you've edited all the widgets on a particular dashboard, it should be permanently fixed for that specific dashboard.