Integration Name
Cisco ISE [cisco_ise]
Dataset Name
cisco_ise.log
Integration Version
1.25.0
Agent Version
syslog
Agent Output Type
logstash
Elasticsearch Version
8.18.7
OS Version and Architecture
Linux, Kubernetes
Software/API Version
No response
Error Message
"error": {
"message": [
"'async' is not an IP string literal."
]
}
we are receiving strings as part of the remote _address
Event Original
"event.original": [
"<181>Feb 18 11:54:29 HOSTNAME_DUMMY CISE_TACACS_Accounting DEVICEID_000001 2 0 2026-02-18 11:54:29.278 +00:00 SESSIONID_000001 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=173, Device IP Address=IP_DUMMY_1, RequestLatency=2, NetworkDeviceName=DEVICE_NAME_DUMMY, Type=Accounting, Privilege-Level=15, Service=Login, User=USER_DUMMY, Port=tty0, Remote-Address=async, Authen-Method=TacacsPlus, AVPair=task_id=10436, AVPair=timezone=GMT, AVPair=start_time=1771413837, AVPair=disc-cause=4, AVPair=disc-cause-ext=47, AVPair=pre-session-time=25, AVPair=elapsed_time=1832, AVPair=stop_time=1771415669, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=HOSTNAME_DUMMY/SESSION_ABC123/SESSION_DEF456, SelectedAccessService=Default Device Admin, Step=13006, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#West Brom, NetworkDeviceGroups=Device Type#All Device Types#Cisco Devices#Cisco 6500, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No,\r"
]
"original": "<181>Mar 20 12:01:20 HOSTNAME_DUMMY CISE_TACACS_Accounting DEVICEID_000001 1 0 2026-03-20 12:01:20.528 +00:00 SESSIONID_000001 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=78, Device IP Address=IP_DUMMY_1, NetworkDeviceName=DEVICE_NAME_DUMMY, Type=Accounting, Privilege-Level=0, Service=Login, User=USER_DUMMY, Port=/dev/pts/3, Remote-Address=console, Authen-Method=TacacsPlus, AVPair=timezone=GMT, AVPair=task_id=375, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=HOSTNAME_DUMMY/SESSION_ABC123/SESSION_DEF456, SelectedAccessService=DMASRMOD-IPP, RequestLatency=1, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Device Type#All Device Types#Cisco, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=All Platforms#All Platforms#IPP#IPP_ACCESS, NetworkDeviceGroups=Location#All Locations, CPMSessionID=CPM_DUMMY_001, TotalAuthenLatency=1, ClientLatency=0, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types#Cisco, IPSEC=IPSEC#Is IPSEC Device#No, All Platforms=All Platforms#All Platforms#IPP#IPP_ACCESS, Response={AcctReply-Status=Success; },\r"
The above logs are anonymized to an extend.
What did you do?
data flow : source -> syslog agent -> logstash -> kafka-> logstash -> elastic
as a workaround we amended the below processor if condition {
"convert": {
"ignore_failure": true,
"field": "host.hostname",
"target_field": "host.ip",
"ignore_missing": true,
"type": "ip",
"if": "ctx.host?.hostname != null && ctx.host.hostname != '' && ctx.host?.hostname =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$|^[0-9a-fA-F:]+$/"
}
}
added ctx.host.hostname != '' && ctx.host?.hostname =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$|^[0-9a-fA-F:]+$/"
What did you see?
What did you expect to see?
As we spoken with our network engineers, we could expect the remote_address could contain terms such as "EEM". "console", "async" while the network engineers connected to the cisco devices through a hardware or console to perform administrative process like restarting, setting up the device, initialization etc.
Anything else?
I assume the pipeline should need to process these set of logs as well.
Integration Name
Cisco ISE [cisco_ise]
Dataset Name
cisco_ise.log
Integration Version
1.25.0
Agent Version
syslog
Agent Output Type
logstash
Elasticsearch Version
8.18.7
OS Version and Architecture
Linux, Kubernetes
Software/API Version
No response
Error Message
we are receiving strings as part of the remote _address
Event Original
"event.original": [
"<181>Feb 18 11:54:29 HOSTNAME_DUMMY CISE_TACACS_Accounting DEVICEID_000001 2 0 2026-02-18 11:54:29.278 +00:00 SESSIONID_000001 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=173, Device IP Address=IP_DUMMY_1, RequestLatency=2, NetworkDeviceName=DEVICE_NAME_DUMMY, Type=Accounting, Privilege-Level=15, Service=Login, User=USER_DUMMY, Port=tty0, Remote-Address=async, Authen-Method=TacacsPlus, AVPair=task_id=10436, AVPair=timezone=GMT, AVPair=start_time=1771413837, AVPair=disc-cause=4, AVPair=disc-cause-ext=47, AVPair=pre-session-time=25, AVPair=elapsed_time=1832, AVPair=stop_time=1771415669, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=HOSTNAME_DUMMY/SESSION_ABC123/SESSION_DEF456, SelectedAccessService=Default Device Admin, Step=13006, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#West Brom, NetworkDeviceGroups=Device Type#All Device Types#Cisco Devices#Cisco 6500, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No,\r"
]
"original": "<181>Mar 20 12:01:20 HOSTNAME_DUMMY CISE_TACACS_Accounting DEVICEID_000001 1 0 2026-03-20 12:01:20.528 +00:00 SESSIONID_000001 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=78, Device IP Address=IP_DUMMY_1, NetworkDeviceName=DEVICE_NAME_DUMMY, Type=Accounting, Privilege-Level=0, Service=Login, User=USER_DUMMY, Port=/dev/pts/3, Remote-Address=console, Authen-Method=TacacsPlus, AVPair=timezone=GMT, AVPair=task_id=375, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=HOSTNAME_DUMMY/SESSION_ABC123/SESSION_DEF456, SelectedAccessService=DMASRMOD-IPP, RequestLatency=1, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Device Type#All Device Types#Cisco, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=All Platforms#All Platforms#IPP#IPP_ACCESS, NetworkDeviceGroups=Location#All Locations, CPMSessionID=CPM_DUMMY_001, TotalAuthenLatency=1, ClientLatency=0, Network Device Profile=Cisco, Location=Location#All Locations, Device Type=Device Type#All Device Types#Cisco, IPSEC=IPSEC#Is IPSEC Device#No, All Platforms=All Platforms#All Platforms#IPP#IPP_ACCESS, Response={AcctReply-Status=Success; },\r"
The above logs are anonymized to an extend.
What did you do?
data flow : source -> syslog agent -> logstash -> kafka-> logstash -> elastic
as a workaround we amended the below processor if condition {
"convert": {
"ignore_failure": true,
"field": "host.hostname",
"target_field": "host.ip",
"ignore_missing": true,
"type": "ip",
"if": "ctx.host?.hostname != null && ctx.host.hostname != '' && ctx.host?.hostname =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$|^[0-9a-fA-F:]+$/"
}
}
added ctx.host.hostname != '' && ctx.host?.hostname =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$|^[0-9a-fA-F:]+$/"
What did you see?
What did you expect to see?
As we spoken with our network engineers, we could expect the remote_address could contain terms such as "EEM". "console", "async" while the network engineers connected to the cisco devices through a hardware or console to perform administrative process like restarting, setting up the device, initialization etc.
Anything else?
I assume the pipeline should need to process these set of logs as well.