search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.5k stars 2.96k forks source link

Unable to handle large Cisco ISE log messages #10945

Open realolap opened 1 month ago

realolap commented 1 month ago

Describe the bug Log messages from ISE are frequently large (up to 8k) and in the ISE server "Logging Target" there are configuration settings to make sure that maximum message length should not exceed one frame. ISE splits the message into multi-part entries with tagging, ie. part 1, part 2. When they arrive at the rsyslog collector running the AMA agent, the log collector forwards frame by frame to log analytics as individual messages causing parsing errors in the syslog table since each part is not a complete message.

To Reproduce Configure ISE system with a remote logging target a VM running rsyslog Configure target with a maximum message length of 1k On the rsyslog VM configure AMA agent forwarding to Sentinel Make sure ISE emits a log entry larger than 1k Query Syslog table in Sentinel / LA for 

Syslog
| where ProcessName has_any  ("CSCO", "CISE")

Expected behavior The Cisco ISE solution should come with guidelines on how to configure the flow to mitigate the deviation from the syslog RFC. Are there specific configurations that needs to be done on the ISE server, the network stack or on the syslog forwarding server to handle jumbo messages?

Screenshots image Quering the same message in log analytics / Sentinel

Syslog | where Facility == "local6" | where EventTime == "2024-04-18T12:44:53Z"

image

Finding the same message parsed by CiscoISEEvent by looking at the TimeGenerated into the Syslog. There are no other identifying fields parsed.

CiscoISEEvent | where TimeGenerated between (todatetime('2024-04-18T12:43:03Z') .. todatetime('2024-04-18T12:43:04Z'))

image

v-sudkharat commented 1 month ago

Hi @realolap, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

v-rusraut commented 6 days ago

Hi @realolap, Please run below query and share result to email id: v-rusraut@microsoft.com.

Syslog
| where ProcessName has_any  ("CSCO", "CISE")

Thanks

v-rusraut commented 4 days ago

Hi @realolap, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 13-09-2024 date, we will be closing this issue. Thanks!

realolap commented 3 days ago

Thanks for your feedback @v-rusraut. I will collect the data and get back to you