"What syslog categories should I send from ISE to Splunk?"

"The most operationally valuable ISE log categories for Splunk are: AAA Audit (every RADIUS authentication and authorization event — the core category), Passed Authentications, Failed Attempts, RADIUS Accounting (session start/stop/interim), Posture and Client Provisioning, Guest and Web Authentication, and Administrative and Operational Audit (admin logins, config changes). Start with AAA Audit and Failed Attempts, then add others as needed. Avoid sending Debug-level categories to Splunk in production — they generate enormous volume."

"What Splunk Add-on should I use for Cisco ISE?"

"The official Splunk Add-on for Cisco ISE (available on Splunkbase) provides pre-built field extractions for ISE's key-value pair syslog format, CIM-compliant field mappings for use with Splunk Enterprise Security, saved searches, and dashboard panels. It handles the props.conf and transforms.conf entries automatically. If you are running Splunk Enterprise Security, the ISE add-on also maps ISE events to the Authentication data model for correlation searches."

"How do I parse ISE's key-value syslog format in Splunk?"

"ISE syslogs use a structured key=value format preceded by a header: timestamp, sequence number, MnT hostname, category code, severity, message ID, message text, and then key=value pairs. The Splunk Add-on for Cisco ISE handles this with regex extractions in props.conf. If building custom extractions, the main extraction pattern targets the key=value pairs after the message text using EXTRACT-kv with a regex like (?\u003ckey\u003e[A-Za-z0-9_]+)=(?\u003cvalue\u003e[^,]+)."

"What port should ISE use to send syslogs to Splunk?"

"ISE supports UDP 514 (standard syslog), TCP 514 (reliable delivery), and TCP 6514 with TLS (encrypted). For production environments, use TCP with TLS (port 6514) to protect authentication log data in transit — RADIUS logs contain usernames and MAC addresses. Configure a TLS syslog input in Splunk and upload the ISE certificate to the trust store. For lab or low-security environments, UDP 514 is simplest to configure."

"How do I find all failed RADIUS authentications in Splunk for Cisco ISE?"

"Use this SPL query: sourcetype=cisco:ise cisco_ise_category=CISE_Failed_Attempts | table _time, user, calling_station_id, nas_ip, failure_reason, auth_policy, auth_rule. To get a count by failure reason over time: sourcetype=cisco:ise cisco_ise_category=CISE_Failed_Attempts | timechart count by failure_reason. Common failure reasons to watch: 15039 (rejected per authorization profile), 22056 (user not found), 24408 (Kerberos error), 24420 (account locked)."

Splunk + Cisco ISE: Syslog Integration and RADIUS Dashboard

Cisco ISE is generating a continuous stream of authentication, authorization, and posture data — every 802.1X login, every guest registration, every failed auth attempt. Out of the box, that data lives in ISE’s internal MnT database where it’s searchable but limited. Sending it to Splunk unlocks full SIEM capabilities: long-term retention, correlation with other security data, custom dashboards, and automated alerting.

This guide covers the complete integration from ISE syslog configuration through Splunk field extractions, SPL queries, and a live RADIUS operations dashboard.

Architecture Overview

ISE MnT Node
    │
    │ Syslog (UDP 514 / TCP 6514 TLS)
    ▼
Splunk Heavy Forwarder
    │
    │ Parsed + indexed events
    ▼
Splunk Indexer
    │
    │ SPL queries
    ▼
Splunk Search Head (Dashboard)

ISE’s Monitoring and Troubleshooting (MnT) node is the log aggregator — all PSNs send their authentication events to the MnT, which then forwards to external syslog targets. Configure the syslog target on the MnT, not on individual PSNs.

Step 1 — Configure ISE Syslog Targets

Administration > System > Logging > Remote Logging Targets
Click Add
Configure:
- Name: Splunk-HF (or your Splunk forwarder name)
- Target Type: UDP Syslog or TCP Syslog
- Host: your Splunk Heavy Forwarder IP or hostname
- Port: 514 (UDP/TCP) or 6514 (TLS)
- Facility Code: Local6 (or any facility not used by other systems)
- Maximum Length: 8192 (increase from default 1024 — ISE messages can be long)
Save

Configure Log Categories

This step controls what ISE sends. Less is more — focus on actionable data:

Administration > System > Logging > Logging Categories
For each category below, click it and add your Splunk target:

Category	Why
AAA Audit	Every RADIUS auth event — core of your dashboard
Failed Attempts	Dedicated failed auth log — easier to filter
RADIUS Accounting	Session start/stop for duration and bandwidth tracking
Passed Authentications	Success log (can be high volume — use sampling in prod)
Guest and WebAuth	Guest portal authentications
Posture and Client Provisioning	Compliance state changes
Administrative and Operational Audit	Config changes, admin logins

Avoid sending Debug categories to Splunk in production. They generate 10–50x more events than INFO-level categories and will blow up your Splunk license.

Step 2 — Configure Splunk to Receive ISE Syslog

Option A — Splunk Add-on for Cisco ISE (Recommended)

Download from Splunkbase: search Cisco ISE — install the official Cisco add-on.

Install on:

Indexer/Heavy Forwarder: for field extractions at index time
Search Head: for dashboard panels and saved searches

The add-on automatically configures:

sourcetype = cisco:ise recognition
Field extractions for all standard ISE log formats
CIM mapping for Splunk Enterprise Security compatibility

Create the Syslog Input

In Splunk Web: Settings > Data Inputs > UDP (or TCP):

Port: 514
Source type: cisco:ise (if using the add-on) or syslog
Index: create a dedicated cisco_ise index for retention management

Or add to inputs.conf on the Heavy Forwarder:

1[udp://514]
2connection_host = ip
3sourcetype = cisco:ise
4index = cisco_ise

Option B — Custom props.conf Extractions

If not using the add-on, add to $SPLUNK_HOME/etc/system/local/props.conf:

 1[cisco:ise]
 2SHOULD_LINEMERGE = false
 3TIME_PREFIX = ^
 4TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
 5MAX_TIMESTAMP_LOOKAHEAD = 30
 6KV_MODE = none
 7REPORT-ise_kv = ise_extract_kv
 8
 9[source::udp:514]
10sourcetype = cisco:ise

And transforms.conf:

1[ise_extract_kv]
2REGEX = ([A-Za-z0-9_\-]+)=([^,\n]+)
3FORMAT = $1::$2
4MV_ADD = true

Step 3 — Verify Data and Field Extractions

Run this search in Splunk after a few minutes:

index=cisco_ise sourcetype=cisco:ise
| head 20

Confirm events are flowing. Then check field extractions:

index=cisco_ise sourcetype=cisco:ise
| head 5
| table _time, user, calling_station_id, nas_ip_address, cisco_ise_category, failure_reason

Key fields to verify are extracted:

Field	Description
`user`	Authenticated username
`calling_station_id`	Client MAC address
`nas_ip_address`	Network device IP
`nas_identifier`	Network device name
`cisco_ise_category`	Log category (e.g. CISE_Failed_Attempts)
`failure_reason`	Error code and description for failed auths
`auth_policy`	ISE policy set matched
`auth_rule`	Authorization rule matched
`authorization_profile`	Profile applied to the session
`endpoint_profile`	ISE endpoint profiling result

Step 4 — Key SPL Queries

Authentication Volume Over Time

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_AAA_Audit
| timechart span=5m count by auth_result

Failed Authentication Rate by Reason

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Failed_Attempts
| stats count by failure_reason
| sort -count
| head 20

Top Failing Endpoints (by MAC)

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Failed_Attempts
| stats count by calling_station_id, user, failure_reason
| sort -count
| head 25

Authentication Volume by Network Device

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_AAA_Audit
| stats count by nas_identifier, auth_result
| eval success_rate = round(count / sum(count) * 100, 1)
| sort -count

Policy Utilization — Which Rules Are Matching

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_AAA_Audit
| stats count by auth_policy, auth_rule, authorization_profile
| sort -count

Guest Authentication Activity

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Guest_and_WebAuth
| timechart span=1h count by auth_result

Posture Compliance State Transitions

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Posture_and_Client_Provisioning
| stats count by posture_status, user
| sort -count

Admin Activity Audit

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Administrative_and_Operational_Audit
| table _time, admin_name, operation_type, object_name, object_type
| sort -_time

Step 5 — Build the ISE Operations Dashboard

In Splunk Web: Dashboards > Create New Dashboard — name it ISE Operations Center.

Add these panels:

Panel 1 — Auth Volume (Line Chart)

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_AAA_Audit
| timechart span=15m count by auth_result

Type: Line Chart | Time range: Last 24 hours | Auto-refresh: 5 min

Panel 2 — Failure Rate (Single Value)

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Failed_Attempts earliest=-1h
| stats count as failures
| appendcols [search index=cisco_ise cisco_ise_category=CISE_AAA_Audit earliest=-1h | stats count as total]
| eval failure_rate = round(failures/total*100, 1) . "%"
| table failure_rate

Type: Single Value | Threshold: green < 5%, yellow < 15%, red > 15%

Panel 3 — Top Failure Reasons (Bar Chart)

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Failed_Attempts earliest=-4h
| stats count by failure_reason
| sort -count | head 10

Panel 4 — Top Failing Endpoints (Table)

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Failed_Attempts earliest=-4h
| stats count, values(failure_reason) as reasons by calling_station_id, user
| sort -count | head 15

Panel 5 — Real-Time Failed Auth Feed (Table, auto-refresh 1 min)

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Failed_Attempts
| table _time, user, calling_station_id, nas_identifier, failure_reason
| sort -_time | head 50

Step 6 — Configure Alerts

Alert: Brute Force Detection

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Failed_Attempts
| stats count by user, calling_station_id
| where count > 10

Trigger: every 5 minutes, if results > 0. Send email or Slack notification.

Alert: Admin Account Usage After Hours

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Administrative_and_Operational_Audit
| eval hour=strftime(_time, "%H")
| where (hour < 7 OR hour > 19)
| table _time, admin_name, operation_type, object_name

Alert: Posture Non-Compliance Spike

index=cisco_ise sourcetype=cisco:ise cisco_ise_category=CISE_Posture_and_Client_Provisioning posture_status=NonCompliant
| timechart span=15m count
| where count > 20

Troubleshooting

No events in Splunk after configuring ISE syslog target

Confirm the ISE MnT node can reach the Splunk forwarder on the configured port (test with tcpdump port 514 on the Splunk server)
Verify the syslog target is assigned to at least one log category in ISE
Check ISE’s Administration > System > Logging > Debug Log Configuration — enable Logging at INFO level

Events appearing but fields not extracted

Confirm the add-on is installed on the indexer, not just the search head
Restart Splunk after installing the add-on
Run | metadata type=sourcetypes index=cisco_ise to verify the sourcetype is cisco:ise

Duplicate events in Splunk

ISE MnT sends each event once — duplicates usually mean you have multiple syslog targets pointing to Splunk, or the Heavy Forwarder is forwarding to the indexer AND the indexer is also listening directly

🎯 Studying for CCIE Security?

Practice with free flashcards, quizzes, and hands-on lab scenarios at cciesec.it-learn.io — built specifically for the CCIE Security v6.1 written (350-701 SCOR) and lab exam.

Cisco ISE Active Directory Integration — understand the identity data that flows through ISE into Splunk
RADIUS Load Balancing for Cisco ISE — in multi-PSN deployments, all PSNs forward to the MnT — ensure your syslog target is on the MnT node
Cisco ISE Posture Assessment — the posture compliance data queried in the SPL examples above