Differences

This shows you the differences between two versions of the page.

--- siteadmin:fticks_logging_for_cisco_ise [2024/05/15 10:24] – [Untested Advanced Configuration] admin
+++ siteadmin:fticks_logging_for_cisco_ise [2024/05/20 12:37] (current) – admin
@@ Line 1: / Line 1: @@
 ======Logging for Cisco ISE======
+**NOTE: This is untested.**
+**This only applies to Federation Operators and not to individual sites**
 Unfortunately ISE can't generate custom logs in the format required (FTICKS) but, fortunately, it can generate syslog logs with the right information, which can be sent to a syslog server and munged into a suitable format.
@@ Line 47: / Line 51: @@
 Here are two options for possible syslog servers and config but you set up any syslog server as long as it has the following behaviour:
-  * Proxies to utilities.govroam.uk on port 601/TCP with Facility local6
+  * Uses the [[public:fticks|FTICKS]] format
-  * Includes in the FTICKS '#FEDID=0X000#' where 0X000 is replaced by the Federation ID supplied.
+  * Proxies to utilities.govroam.uk on port 514/UDP with Facility local6
+  * Includes in the FTICKS '#FEDID=0X000#' where 0X000 is replaced by the Federation ID supplied by Jisc.
   * Filters down the proxied log to just those for
     * Successful authentications
-    * Only authentications between member sites (i.e. NOT those to or from the Jisc NRPS)
+    * Only authentications between member sites (i.e. NOT those to or from the Jisc NRPS, or within an organisation)
 The two options:
@@ Line 77: / Line 82: @@
 destination d_jisc {
   syslog("212.219.243.132"
-        transport("tcp")
+        transport("udp")
-        port("601")
+        port("514")
         template("F-TICKS/govroam/1.0#REALM=${ISE.UserName}#VISCOUNTRY=GB#VISINST=${ISE.Operator-Name}#CSI=${ISE.Calling-Station-ID}#RESULT=OK#FEDID=XXXXX#")
   );
@@ Line 87: / Line 92: @@
         source(s_remote_udp);
         filter(f_local0);
-        filter{ match("Authentication succeeded" value ("MESSAGE"))};
         parser {
             kv-parser (prefix("ISE."));
@@ Line 108: / Line 112: @@
   * Install [[https://nxlog.co/products/nxlog-community-edition|NXLog CE]] on Windows
   * Use this configuration (with paths changed appropriately)
+**Note: This doesn't actually send the logs in FTICKS format but it does send them in a format which Jisc can convert to FTICKS. However, it's absolutely critical that the FedID is set correctly**
 <code>
@@ Line 135: / Line 141: @@
 <Input tcp_ise>
     Module im_tcp
-    Host  10.10.10.10
+    Host  10.10.10.10 # Set this to the address of the Windows syslog server
     Port  514
     <Exec>
-      if $SyslogFacility != "local6" drop();
+      if $SyslogFacility != "local0" drop();
       if $raw_event !~ /CISE_Passed_Authentications/ drop();
-      $FedID="0X000";
+      $FedID="XXXXX"; # Set this to the Federation ID provided by Jisc
+      $SyslogFacility = "local6";
     </Exec>
 </Input>
+## For future use
 <Output syslog_tls>
     Module      om_ssl
     Host        212.219.243.132
     Port        6514
-#   CAFile      c:/Program Files (x86)/nxlog/data/cacert.pem
+#    CAFile      c:/Program Files (x86)/nxlog/data/cacert.pem
 #    CertFile    c:/Program Files (x86)/nxlog/data/clientreq.pem
 #    CertKeyFile c:/Program Files (x86)/nxlog/data/clientkey.pem
@@ Line 162: / Line 170: @@
     OutputType  Syslog_TLS
     Exec        to_syslog_ietf();
-    Exec        $SyslogFacility = "local6";
 </Output>
@@ Line 172: / Line 179: @@
 </code>
-  * Change 0X000 to the supplied Federation ID.
+  * Change XXXXX to the supplied Federation ID.
-  * Change the 'Host' in 'Input tcp_ise' to the address of the ISE host.
+  * Change the 'Host' in 'Input tcp_ise' to the address of the syslog server.
   * (Ignore the syslog_tls part, that's for future use)
   * Restart the Service