Cisco ISE Log Parsing Configuration to Circumvent loading Nimbda Agent on AD

At the bottom is how in GigaFlow we would parse the log file so we’d add the Username/IP/domain to the flow records we get from the other devices.  Easier less of a hassle than the Nimbda agent on the AD’s!

This is the GigaFlow Parsing set and the regx expression to extract the fields we want from ISE:

172.18.2.101:<181>Aug 12 17:41:12 hqise CISE_Passed_Authentications 0000000069 4 1  cisco-av-pair=ip:source-ip=41.21.216.46, cisco-av-pair=coa-push=true, CVPN3000/ASA/PIX7x-Tunnel-Group-Name=Ampath-Employee, OriginalUserName=durganp, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, SSID=196.13.169.171, CVPN3000/ASA/PIX7x-Client-Type=2, AcsSessionID=hqise/407628313/49227951, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, SelectedAccessService=VPN_Protocols, SelectedAuthorizationProfiles=SSL-Ampath-Personnel_Level1-AUTH-PROF, IdentityGroup=User Identity Groups:SSL_Employee_Level_1, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15041, Step=15013, Step=24210, Step=24212, Step=22037, Step=24715, Step=15036, Step=24209, Step=24211, Step=15016, Step=11022, Step=22081, Step=22080,
ISE_Passed_Authentications .+?:source-ip=(.+?), .+?OriginalUserName=(.+?),.+?Identity Groups:(.+?),