Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » siteadmin » fticks_logging_for_cisco_ise
siteadmin:fticks_logging_for_cisco_ise

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
siteadmin:fticks_logging_for_cisco_ise [2024/05/15 10:33] adminsiteadmin:fticks_logging_for_cisco_ise [2024/05/20 12:37] (current) admin
Line 1: Line 1:
 ======Logging for Cisco ISE====== ======Logging for Cisco ISE======
 +
 +**NOTE: This is untested.**
 +
 +**This only applies to Federation Operators and not to individual sites**
  
 Unfortunately ISE can't generate custom logs in the format required (FTICKS) but, fortunately, it can generate syslog logs with the right information, which can be sent to a syslog server and munged into a suitable format. Unfortunately ISE can't generate custom logs in the format required (FTICKS) but, fortunately, it can generate syslog logs with the right information, which can be sent to a syslog server and munged into a suitable format.
Line 49: Line 53:
   * Uses the [[public:fticks|FTICKS]] format   * Uses the [[public:fticks|FTICKS]] format
   * Proxies to utilities.govroam.uk on port 514/UDP with Facility local6   * Proxies to utilities.govroam.uk on port 514/UDP with Facility local6
-  * Includes in the FTICKS '#FEDID=0X000#' where 0X000 is replaced by the Federation ID supplied.+  * Includes in the FTICKS '#FEDID=0X000#' where 0X000 is replaced by the Federation ID supplied by Jisc.
   * Filters down the proxied log to just those for   * Filters down the proxied log to just those for
     * Successful authentications     * Successful authentications
-    * Only authentications between member sites (i.e. NOT those to or from the Jisc NRPS)+    * Only authentications between member sites (i.e. NOT those to or from the Jisc NRPS, or within an organisation)
  
 The two options: The two options:
Line 88: Line 92:
         source(s_remote_udp);         source(s_remote_udp);
         filter(f_local0);         filter(f_local0);
-        filter{ match("Authentication succeeded" value ("MESSAGE"))}; 
         parser {         parser {
             kv-parser (prefix("ISE."));             kv-parser (prefix("ISE."));
Line 109: Line 112:
   * Install [[https://nxlog.co/products/nxlog-community-edition|NXLog CE]] on Windows   * Install [[https://nxlog.co/products/nxlog-community-edition|NXLog CE]] on Windows
   * Use this configuration (with paths changed appropriately)   * Use this configuration (with paths changed appropriately)
 +
 +**Note: This doesn't actually send the logs in FTICKS format but it does send them in a format which Jisc can convert to FTICKS. However, it's absolutely critical that the FedID is set correctly** 
  
 <code> <code>
Line 139: Line 144:
     Port  514     Port  514
     <Exec>     <Exec>
-      if $SyslogFacility != "local6" drop();+      if $SyslogFacility != "local0" drop();
       if $raw_event !~ /CISE_Passed_Authentications/ drop();       if $raw_event !~ /CISE_Passed_Authentications/ drop();
-      $FedID="0X000"; # Set this to the Federation ID provided by Jisc+      $FedID="XXXXX"; # Set this to the Federation ID provided by Jisc 
 +      $SyslogFacility = "local6";
     </Exec>     </Exec>
 </Input> </Input>
Line 164: Line 170:
     OutputType  Syslog_TLS     OutputType  Syslog_TLS
     Exec        to_syslog_ietf();     Exec        to_syslog_ietf();
-    Exec        $SyslogFacility = "local6"; 
 </Output> </Output>
  
Line 174: Line 179:
 </code> </code>
  
-  * Change 0X000 to the supplied Federation ID.+  * Change XXXXX to the supplied Federation ID.
   * Change the 'Host' in 'Input tcp_ise' to the address of the syslog server.   * Change the 'Host' in 'Input tcp_ise' to the address of the syslog server.
   * (Ignore the syslog_tls part, that's for future use)   * (Ignore the syslog_tls part, that's for future use)
siteadmin/fticks_logging_for_cisco_ise.1715769201.txt.gz · Last modified: 2024/05/15 10:33 by admin