diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index 5378c5c316c..7b64e2cba81 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.27.0" + changes: + - description: Add support of timezone in configuration parameter. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.26.2" changes: - description: Support milliseconds in timestamps diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml index 3eff9ab8c41..09553073567 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -2,6 +2,7 @@ service: cisco_ise-log-filestream input: filestream data_stream: vars: + tz_offset: +05:00 preserve_original_event: true preserve_duplicate_custom_fields: true paths: diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-tcp-config.yml index 9e4b8df5c6a..401637fad14 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -6,3 +6,4 @@ vars: data_stream: vars: listen_port: 9025 + tz_offset: +05:00 diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-udp-config.yml index 90d93efebd4..9dd8b9e946b 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-udp-config.yml @@ -6,3 +6,4 @@ vars: data_stream: vars: listen_port: 9026 + tz_offset: +05:00 diff --git a/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs b/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs index 570023fa609..6a7cbf33b21 100644 --- a/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs +++ b/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs @@ -13,6 +13,12 @@ tags: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/cisco_ise/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ise/data_stream/log/agent/stream/tcp.yml.hbs index bc587e50a3a..d051989b925 100644 --- a/packages/cisco_ise/data_stream/log/agent/stream/tcp.yml.hbs +++ b/packages/cisco_ise/data_stream/log/agent/stream/tcp.yml.hbs @@ -12,6 +12,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/cisco_ise/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ise/data_stream/log/agent/stream/udp.yml.hbs index b11a3aa8539..1425ef72e9d 100644 --- a/packages/cisco_ise/data_stream/log/agent/stream/udp.yml.hbs +++ b/packages/cisco_ise/data_stream/log/agent/stream/udp.yml.hbs @@ -12,6 +12,12 @@ tags: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 10776045987..ad73b8d9ccb 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -62,9 +62,17 @@ processors: if: ctx.host?.hostname != null allow_duplicates: false ignore_failure: true + - rename: + field: _conf.tz_offset + target_field: event.timezone + if: ctx._conf?.tz_offset != null + tag: rename_tz_offset + ignore_missing: true - rename: field: _tmp.timezone + tag: rename_tmp_timezone target_field: event.timezone + if: ctx.event?.timezone == null # If user has not provided the timezone offset. ignore_missing: true - date: field: _tmp.timestamp diff --git a/packages/cisco_ise/data_stream/log/manifest.yml b/packages/cisco_ise/data_stream/log/manifest.yml index ed414e2354e..e9afc90ffe7 100644 --- a/packages/cisco_ise/data_stream/log/manifest.yml +++ b/packages/cisco_ise/data_stream/log/manifest.yml @@ -23,6 +23,14 @@ streams: type: bool multi: false default: false + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: false + show_user: true + description: >- + When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. - name: processors type: yaml title: Processors @@ -53,6 +61,14 @@ streams: type: bool multi: false default: false + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: false + show_user: true + description: >- + When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. - name: udp_options type: yaml title: Custom UDP Options @@ -102,6 +118,14 @@ streams: type: bool multi: false default: false + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: false + show_user: true + description: >- + When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. - name: processors type: yaml title: Processors diff --git a/packages/cisco_ise/data_stream/log/sample_event.json b/packages/cisco_ise/data_stream/log/sample_event.json index 57e02da8014..df245a9276b 100644 --- a/packages/cisco_ise/data_stream/log/sample_event.json +++ b/packages/cisco_ise/data_stream/log/sample_event.json @@ -1,164 +1,163 @@ { - "@timestamp": "2020-02-21T19:13:08.328Z", + "@timestamp": "2020-04-27T11:11:47.028-08:00", "agent": { - "ephemeral_id": "1c70d737-7545-456d-8fb9-7033dca67ed3", - "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", - "name": "docker-fleet-agent", + "ephemeral_id": "753b50ac-3329-4e91-ab3f-c48af7008fc4", + "id": "a0e0ca43-d2bc-4d7e-8863-2336f441b5b4", + "name": "elastic-agent-47780", "type": "filebeat", - "version": "8.10.2" + "version": "8.18.0" }, "cisco_ise": { "log": { "acct": { - "request": { - "flags": "Stop" + "authentic": "RADIUS", + "session": { + "id": "00000000/d4:ca:6d:14:87:3b/20879" + }, + "status": { + "type": "Start" } }, "acs": { "session": { - "id": "ldnnacpsn1/359344348/952729" + "id": "hijk.xyz.com/176956368/1092777" + } + }, + "airespace": { + "wlan": { + "id": 1 } }, - "authen_method": "TacacsPlus", - "avpair": { - "priv_lvl": 15, - "start_time": "2020-03-26T01:17:12.000Z", - "task_id": "2962", - "timezone": "GMT" + "allowed_protocol": { + "matched": { + "rule": "Default" + } + }, + "called_station": { + "id": "00-24-97-69-7a-c0" + }, + "calling_station": { + "id": "d4-ca-6d-14-87-3b" }, "category": { - "name": "CISE_TACACS_Accounting" + "name": "CISE_RADIUS_Accounting" }, - "cmdset": "[ CmdAV=show mac-address-table ]", + "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", "config_version": { - "id": 1829 + "id": 33 }, "cpm": { "session": { - "id": "81.2.69.144Accounting306034364" + "id": "0a222bc0000000d123e111f0" } }, - "device": { - "type": [ - "Device Type#All Device Types#Routers", - "Device Type#All Device Types#Routers" - ] + "event": { + "timestamp": "2014-01-10T07:59:55.000Z" }, - "ipsec": [ - "IPSEC#Is IPSEC Device", - "IPSEC#Is IPSEC Device" - ], - "location": [ - "Location#All Locations#EMEA", - "Location#All Locations#EMEA" - ], - "message": { - "code": "3300", - "description": "Tacacs-Accounting: TACACS+ Accounting with Command", - "id": "0000000001" + "framed": { + "ip": "81.2.69.145" }, - "model": { - "name": "Unknown" + "location": "Location#All Locations#SJC#WNBU", + "message": { + "code": "3000", + "description": "Radius-Accounting: RADIUS Accounting start request", + "id": "0000070618" + }, + "nas": { + "identifier": "Acme_fe:56:00", + "ip": "81.2.69.145", + "port": { + "number": 13, + "type": "Wireless - IEEE 802.11" + } }, "network": { "device": { "groups": [ - "Location#All Locations#EMEA", - "Device Type#All Device Types#Routers", - "IPSEC#Is IPSEC Device" + "Location#All Locations#SJC#WNBU", + "Device Type#All Device Types#Wireless#WLC" ], - "name": "wlnwan1", - "profile": [ - "Cisco", - "Cisco" - ] + "name": "WNBU-WLC1" } }, - "port": "tty10", - "privilege": { - "level": 15 - }, "request": { - "latency": 1 - }, - "response": { - "AcctReply-Status": "Success" + "latency": 6 }, "segment": { "number": 0, - "total": 4 + "total": 1 }, "selected": { "access": { - "service": "Device Admin - TACACS" + "service": "Default Network Access" } }, - "service": { - "argument": "shell", - "name": "Login" - }, - "software": { - "version": "Unknown" - }, "step": [ - "13006", + "11004", + "11017", "15049", "15008", "15048", - "13035" + "15048", + "15048", + "15004", + "15006", + "11005" ], - "type": "Accounting" + "tunnel": { + "medium": { + "type": "(tag=0) 802" + }, + "private": { + "group_id": "(tag=0) 70" + }, + "type": "(tag=0) VLAN" + } } }, "client": { - "ip": "81.2.69.144" + "ip": "81.2.69.145" }, "data_stream": { "dataset": "cisco_ise.log", - "namespace": "ep", + "namespace": "54245", "type": "logs" }, - "destination": { - "ip": "81.2.69.144" - }, "ecs": { "version": "8.17.0" }, "elastic_agent": { - "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", - "snapshot": false, - "version": "8.10.2" + "id": "a0e0ca43-d2bc-4d7e-8863-2336f441b5b4", + "snapshot": true, + "version": "8.18.0" }, "event": { - "action": "tacacs-accounting", + "action": "radius-accounting", "agent_id_status": "verified", "category": [ "configuration" ], + "code": "3000", "dataset": "cisco_ise.log", - "ingested": "2023-10-03T09:31:56Z", + "ingested": "2025-04-14T10:20:46Z", "kind": "event", - "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", - "sequence": 18415781, - "timezone": "+00:00", + "sequence": 91827141, + "timezone": "-08:00", "type": [ "info" ] }, "host": { - "hostname": "cisco-ise-host" + "hostname": "hijk.xyz.com" }, "input": { - "type": "filestream" + "type": "udp" }, "log": { - "file": { - "device_id": 2080, - "inode": 88860, - "path": "/tmp/service_logs/log.log" - }, "level": "notice", - "offset": 71596, + "source": { + "address": "192.168.245.1:53983" + }, "syslog": { "priority": 182, "severity": { @@ -166,24 +165,23 @@ } } }, - "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", "related": { "hosts": [ - "cisco-ise-host" + "hijk.xyz.com" ], "ip": [ - "81.2.69.144" + "81.2.69.145" ], "user": [ - "psxvne" + "nisehorrrrn" ] }, "tags": [ - "preserve_original_event", "forwarded", "cisco_ise-log" ], "user": { - "name": "psxvne" + "name": "nisehorrrrn" } -} \ No newline at end of file +} diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index 5a44ff21227..e519deef187 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -35,166 +35,165 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2020-02-21T19:13:08.328Z", + "@timestamp": "2020-04-27T11:11:47.028-08:00", "agent": { - "ephemeral_id": "1c70d737-7545-456d-8fb9-7033dca67ed3", - "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", - "name": "docker-fleet-agent", + "ephemeral_id": "753b50ac-3329-4e91-ab3f-c48af7008fc4", + "id": "a0e0ca43-d2bc-4d7e-8863-2336f441b5b4", + "name": "elastic-agent-47780", "type": "filebeat", - "version": "8.10.2" + "version": "8.18.0" }, "cisco_ise": { "log": { "acct": { - "request": { - "flags": "Stop" + "authentic": "RADIUS", + "session": { + "id": "00000000/d4:ca:6d:14:87:3b/20879" + }, + "status": { + "type": "Start" } }, "acs": { "session": { - "id": "ldnnacpsn1/359344348/952729" + "id": "hijk.xyz.com/176956368/1092777" + } + }, + "airespace": { + "wlan": { + "id": 1 + } + }, + "allowed_protocol": { + "matched": { + "rule": "Default" } }, - "authen_method": "TacacsPlus", - "avpair": { - "priv_lvl": 15, - "start_time": "2020-03-26T01:17:12.000Z", - "task_id": "2962", - "timezone": "GMT" + "called_station": { + "id": "00-24-97-69-7a-c0" + }, + "calling_station": { + "id": "d4-ca-6d-14-87-3b" }, "category": { - "name": "CISE_TACACS_Accounting" + "name": "CISE_RADIUS_Accounting" }, - "cmdset": "[ CmdAV=show mac-address-table ]", + "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", "config_version": { - "id": 1829 + "id": 33 }, "cpm": { "session": { - "id": "81.2.69.144Accounting306034364" + "id": "0a222bc0000000d123e111f0" } }, - "device": { - "type": [ - "Device Type#All Device Types#Routers", - "Device Type#All Device Types#Routers" - ] + "event": { + "timestamp": "2014-01-10T07:59:55.000Z" }, - "ipsec": [ - "IPSEC#Is IPSEC Device", - "IPSEC#Is IPSEC Device" - ], - "location": [ - "Location#All Locations#EMEA", - "Location#All Locations#EMEA" - ], + "framed": { + "ip": "81.2.69.145" + }, + "location": "Location#All Locations#SJC#WNBU", "message": { - "code": "3300", - "description": "Tacacs-Accounting: TACACS+ Accounting with Command", - "id": "0000000001" + "code": "3000", + "description": "Radius-Accounting: RADIUS Accounting start request", + "id": "0000070618" }, - "model": { - "name": "Unknown" + "nas": { + "identifier": "Acme_fe:56:00", + "ip": "81.2.69.145", + "port": { + "number": 13, + "type": "Wireless - IEEE 802.11" + } }, "network": { "device": { "groups": [ - "Location#All Locations#EMEA", - "Device Type#All Device Types#Routers", - "IPSEC#Is IPSEC Device" + "Location#All Locations#SJC#WNBU", + "Device Type#All Device Types#Wireless#WLC" ], - "name": "wlnwan1", - "profile": [ - "Cisco", - "Cisco" - ] + "name": "WNBU-WLC1" } }, - "port": "tty10", - "privilege": { - "level": 15 - }, "request": { - "latency": 1 - }, - "response": { - "AcctReply-Status": "Success" + "latency": 6 }, "segment": { "number": 0, - "total": 4 + "total": 1 }, "selected": { "access": { - "service": "Device Admin - TACACS" + "service": "Default Network Access" } }, - "service": { - "argument": "shell", - "name": "Login" - }, - "software": { - "version": "Unknown" - }, "step": [ - "13006", + "11004", + "11017", "15049", "15008", "15048", - "13035" + "15048", + "15048", + "15004", + "15006", + "11005" ], - "type": "Accounting" + "tunnel": { + "medium": { + "type": "(tag=0) 802" + }, + "private": { + "group_id": "(tag=0) 70" + }, + "type": "(tag=0) VLAN" + } } }, "client": { - "ip": "81.2.69.144" + "ip": "81.2.69.145" }, "data_stream": { "dataset": "cisco_ise.log", - "namespace": "ep", + "namespace": "54245", "type": "logs" }, - "destination": { - "ip": "81.2.69.144" - }, "ecs": { "version": "8.17.0" }, "elastic_agent": { - "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", - "snapshot": false, - "version": "8.10.2" + "id": "a0e0ca43-d2bc-4d7e-8863-2336f441b5b4", + "snapshot": true, + "version": "8.18.0" }, "event": { - "action": "tacacs-accounting", + "action": "radius-accounting", "agent_id_status": "verified", "category": [ "configuration" ], + "code": "3000", "dataset": "cisco_ise.log", - "ingested": "2023-10-03T09:31:56Z", + "ingested": "2025-04-14T10:20:46Z", "kind": "event", - "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", - "sequence": 18415781, - "timezone": "+00:00", + "sequence": 91827141, + "timezone": "-08:00", "type": [ "info" ] }, "host": { - "hostname": "cisco-ise-host" + "hostname": "hijk.xyz.com" }, "input": { - "type": "filestream" + "type": "udp" }, "log": { - "file": { - "device_id": 2080, - "inode": 88860, - "path": "/tmp/service_logs/log.log" - }, "level": "notice", - "offset": 71596, + "source": { + "address": "192.168.245.1:53983" + }, "syslog": { "priority": 182, "severity": { @@ -202,25 +201,24 @@ An example event for `log` looks as following: } } }, - "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", "related": { "hosts": [ - "cisco-ise-host" + "hijk.xyz.com" ], "ip": [ - "81.2.69.144" + "81.2.69.145" ], "user": [ - "psxvne" + "nisehorrrrn" ] }, "tags": [ - "preserve_original_event", "forwarded", "cisco_ise-log" ], "user": { - "name": "psxvne" + "name": "nisehorrrrn" } } ``` diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml index d11e02926c3..219454fe88f 100644 --- a/packages/cisco_ise/manifest.yml +++ b/packages/cisco_ise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ise title: Cisco ISE -version: "1.26.2" +version: "1.27.0" description: Collect logs from Cisco ISE with Elastic Agent. type: integration categories: