It works, I have changed the port number.
@Roman - Thanks for sharing the information, it will be helpful in some other cases.
Original Message:
Sent: Mon April 08, 2024 03:08 AM
From: Carl Mohn
Subject: Cisco Identity Service Engine Log Source Integration
Hello Arunkumar,
Please follow this Technote for troubleshooting> https://www.ibm.com/support/pages/node/6326057
From experience, there might be another log source on the same event collecting host which is using the same port (517). This causes a port conflict and Traffic Analysis can get confused.
If you already have another log source type using port 517, just change the log source config to use a free port on the same eventcollector, e.g. 518/519/520 etc.
When you manually create the Cisco ISE log source, it should automatically create an Iptables rule to accept traffic.
The pre-routing rule method is only needed if it's not easy to target the Cisco ISE device to send to port 517, what the rule does is it listens for traffic from a certain source IP on port 514 and forwards it to port 517. Ref doc: https://www.ibm.com/docs/en/dsm?topic=sol-configuring-iptables-udp-multiline-syslog-events
Hope this is helpful, good luck!
-C-
------------------------------
Carl Mohn
IBM
Dublin
Original Message:
Sent: Fri April 05, 2024 03:11 AM
From: Arunkumar R
Subject: Cisco Identity Service Engine Log Source Integration
Hi,
I have configured the custom DSM for the Cisco Identity Service Engine and added the log source using port 517.
When I use the 517 port as suggested in the QRadar link below the logs are not receiving, but when use 514 port in CISCO ISE the logs are receiving as unknown.
https://www.ibm.com/docs/hu/qradar-on-cloud?topic=cisco-identity-services-engine
UDP multiline syslog protocol configuration options
Please anyone help to resolve the issue.
QRadar Version: 7.5.0 UP6
I am not sure why QRadar decommissioned many DSMs which has earlier versions. I think the older version QRadar is better than the latest.
Thanks
------------------------------
Arunkumar R
------------------------------