https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479442#M523689 <HTML><HEAD></HEAD><BODY><P>On my phone, I can see you are mainly interest in </P><UL><LI>passed authentications</LI><LI>failed attempts</LI><LI>RADIUS accounting</LI></UL><P></P><P>Thus, add your targets to those only and remove from the others. You would be getting acct interim updates as they are in the same category as acct start.</P></BODY></HTML> Fri, 14 Jul 2017 13:55:35 GMT hslai 2017-07-14T13:55:35Z https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479439#M523686 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>I have enabled SYSLOG to two remote targets and I see a lot <STRONG>more messages being sent than I'd like to see.</STRONG></P><P>Let's just say the receiving syslog server vendor likes to charge by data volume ... you know who I mean <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P><P></P><P>My intention is to try reduce the amount of chaff that is being sent. The image below is a bit high res - but it shows the typical messages I am interested in (highlighted) and the rest is not interesting to me. </P><P></P><P><IMG alt="Cisco ISE SYSLOG decoded in Wireshark.png" class="image-1 jive-image" src="/legacyfs/online/fusion/109139_Cisco ISE SYSLOG decoded in Wireshark.png" style="width: 620px; height: 339px;" /> </P><P></P><P><IMG class="jive-image image-3" src="https://community.cisco.com/legacyfs/online/fusion/109141_pastedImage_4.png" style="max-height: 900px; max-width: 1200px;" /></P><P>I am also a bit unsure what the "Local Log Level" enable/disable means ... local to <EM>what</EM>?</P><P></P><P></P><P>I can't seem to find the right settings in ISE to fine tune the messages.&nbsp; I thought it may be under the Debug Log Configuration, because some of the SYSLOGs that I do NOT want to see, appear to me as being as a result of debugging enabled.&nbsp;&nbsp; But I have not touched the Debug Level Configurations - not sure how they relate to the actual SYSLOGs that I see.</P><P></P><P><IMG class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/109140_pastedImage_1.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P></P><P><STRONG>Anyone got some advice for me please?</STRONG></P></BODY></HTML> Fri, 14 Jul 2017 05:29:41 GMT https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479439#M523686 Arne Bier 2017-07-14T05:29:41Z https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479440#M523687 <HTML><HEAD></HEAD><BODY><P>Hi Arnie,</P><P></P><P>One way to reduce the logs will be to change the log levels of categories which are not of importance , to WARN, ERROR or FATAL .</P><P>INFO level generates logs for every transaction , config change , config consumption , which normally you would not care much if everything works well.</P><P>Other way could be&nbsp; to remove the target syslog server from unwanted categories.</P><P>At present as far as I know , we cannot disable any logging category .</P><P>but you can raise this request with the PM team .</P><P></P><P>Thanks,</P><P>Nidhi</P><P></P><P></P><P></P><DIV class="BubbleStyle_MessageContainer"><P></P></DIV></BODY></HTML> Fri, 14 Jul 2017 08:04:18 GMT https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479440#M523687 Nidhi 2017-07-14T08:04:18Z https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479441#M523688 <HTML><HEAD></HEAD><BODY><P>Adding to Nidhi's...</P><P>ISE syslog has many categories so please add your targets to the ones you are interested in. Your screenshots are not high enough resolution for me to tell.&nbsp; Each syslog entry has the category in it; e.g.</P><P></P><P><SPAN style="font-family: 'courier new', courier;">Aug 6 10:25:01 HOST/X.X.X.X CISE_<STRONG>Posture_and_Client_Provisioning_Audit</STRONG> 0000062241 4 0 2012-08-06 10:25:01.177 +01:00 0005085661 87000 NOTICE Posture: ...</SPAN></P><P></P><P></P><P>The local logging refers to ISE local store logs, as shown below:</P><P></P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_15000330738076219" jivemacro_uid="_15000330738076219"> <P>myISE/admin# show logging application | inc local</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5914 Jul 14 2017 04:32:10&nbsp; appserver/localhost.2017-07-14.log</P> <P>--</P> <P>&nbsp;&nbsp;&nbsp; 251557 Jul 14 2017 11:42:41&nbsp; localStore/iseLocalStore.log</P> </PRE><P></P><P>The local store logs are under localStore so only the 2nd entry is.</P><P></P><P>The ISE debug configuration is for local debug only and does not go to syslog.</P></BODY></HTML> Fri, 14 Jul 2017 11:45:49 GMT https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479441#M523688 hslai 2017-07-14T11:45:49Z https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479442#M523689 <HTML><HEAD></HEAD><BODY><P>On my phone, I can see you are mainly interest in </P><UL><LI>passed authentications</LI><LI>failed attempts</LI><LI>RADIUS accounting</LI></UL><P></P><P>Thus, add your targets to those only and remove from the others. You would be getting acct interim updates as they are in the same category as acct start.</P></BODY></HTML> Fri, 14 Jul 2017 13:55:35 GMT https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479442#M523689 hslai 2017-07-14T13:55:35Z https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479443#M523690 <HTML><HEAD></HEAD><BODY><P>You need to click on the images - the browser should enlarge them.</P><P>In the case below I only enabled Category Passed Authentications.&nbsp; What I am asking about is how to get rid of all the stuff there that I don't want to see, e.g. the internal ISE DeviceType stuff, what Profile was selected and the fact that Dynamic Authorization succeeded etc.&nbsp; In my view those are Severity level INFO and not NOTICE.</P><P><IMG class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/109155_pastedImage_0.png" style="max-height: 900px; max-width: 1200px;" /></P><P>If I understand Nidhi's comments, one cannot fine tune the sub-categories within the Categories ?</P><P></P><P>I would consider setting my Logging Targets' Facility Code to LOCAL5 (NOTICE) and then I would not have to log all the INFO and DEBUG stuff.</P></BODY></HTML> Sun, 16 Jul 2017 22:47:46 GMT https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479443#M523690 Arne Bier 2017-07-16T22:47:46Z https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479444#M523691 <HTML><HEAD></HEAD><BODY><P>You might be thinking about the Message Classes under each of the message categories as in the Message Catalog page. Then, you are correct that a logging target can only receive a category as a whole but not selectively among the message classes.</P><P></P><P>All the available parent and child categories are shown in the logging categories page. For example, the parent category "AAA Audit" has three categories -- AAA Audit, Failed Attempts, and Passed Authentications.</P><P></P><P>On my ISE, certain logging categories permit logging level changes but that applies to all the targets receiving the events from the particular category. There is no logging level setting for a remote logging target. I guess you may filter on logging levels on your syslog server.</P></BODY></HTML> Mon, 17 Jul 2017 00:11:57 GMT https://community.cisco.com/t5/network-access-control/ise-syslog-message-reduction/m-p/3479444#M523691 hslai 2017-07-17T00:11:57Z