ModernCyber Blog

Integrate Splunk with Cisco ISE

Written by Uzi Ahmed | Dec 20, 2024 9:25:52 PM

Splunk is a leading data platform designed to help organizations harness the power of their machine data. It provides a comprehensive ecosystem for analyzing and visualizing data, enabling better decision-making and improved operational efficiencies.  The Cisco ISE team recently published a long video explaining the options for integrating Splunk with ISE.  I would encourage everyone to review the video.  But if you're short for time, then this blog post is for you.  I'll review the most straightforward way for users to integrate Splunk into their ISE deployment.

Step 1 - Install Two ISE Apps in Splunk

I'm going to assume that you have Splunk up and running.  You're going to want to download two Splunk apps:  Splunk for ISE and Splunk Add-on for ISE.

The Splunk for ISE app is a prebuilt package of ISE dashboards and reports to use in your Splunk platform.  Think of it as the 'front end' of your integration. 

Importantly, the Spunk for ISE app does not collect data from ISE. That's what the Spunk Add-on for Cisco ISE app is for; it is the 'back end' app that allows you to collect ISE syslog data. 

Once you've downloaded these apps from Splunkbase, you can upload them into your Spunk platform.

Step 2 - Setup Splunk as an ISE Syslog Server

Setting up the integration in ISE is simple. 

First, you'll want to configure Splunk as a logging target.  To do this, navigate to Administration > System > Logging > Remote Logging Target and add a new target.  Name your new logging target, provide a hostname (or, more preferably, an IP Address) of your Splunk instance, as well as the TCP/UDP port to use (514 is the standard syslog port).

Next, you'll want to map logging categories to your new logging target.  This is to say, you want to specify what kind of logs are going to be sent to Splunk.

Finally, and optionally, configure any collection filters.  This will suppress the syslog messages being sent to Splunk.

Step 3 - Configure Spunk to Listen to ISE

Finally, configure Splunk to add ISE data to the platform. 

In your Splunk dashboard, select the Add data task.

Choose to get data using the Monitor method.

Configure the Spunk platform to listen for data on a network port, and use the port you configured in ISE.

Finally, in Input Settings, select Cisco:ISE:Syslog as the source type, and the Host method as IP.

Conclusion

You have a few options for integrating Splunk with ISE.  In this blog post, I've reviewed the most straightforward way to set up this integration.  As you can see, it's a simple and straightforward process.  Once you have your integration set up, you can store your ISE data in Splunk for long periods of time, as well as run queries on data from ISE and any other integrations you've set up.

Please get in touch if you have any questions or comments about integrating Spunk into your ISE deployment!