https://community.cisco.com/t5/network-access-control/forwarding-ise-authentication-logging-to-splunk/m-p/4109277#M561411 Make sure you update the logging categories in ISE to add the new target (splunk). This should assist you in your journey: <A href="http://www.network-node.com/blog/2017/7/2/integrating-ise-with-splunk" target="_blank">http://www.network-node.com/blog/2017/7/2/integrating-ise-with-splunk</A><BR />HTH! Thu, 25 Jun 2020 12:41:49 GMT Mike.Cifelli 2020-06-25T12:41:49Z https://community.cisco.com/t5/network-access-control/forwarding-ise-authentication-logging-to-splunk/m-p/4109084#M561401 <P>Hi Guys,</P><P>I want to forward Cisco ISE authentication logging to Splunk. The goal is to capture the authentication success from endpoints to ISE.</P><P>So far I already configured the Splunk IP and port on Remote Logging Targets and added it on AAA Audit's Targets column. There are logs that forwarded to ISE, but only contains purging messages. Not the authentication messages like I wanted. Below is the example of the log.</P><P><SPAN>&lt;</SPAN><SPAN class="t">182</SPAN><SPAN>&gt;</SPAN><SPAN class="t">Jun</SPAN> <SPAN class="t">25</SPAN> <SPAN class="t">05:40:27</SPAN>&nbsp;ISE_Hostname&nbsp;<SPAN class="t">CISE_MONITORING_DATA_PURGE_AUDIT</SPAN> <SPAN class="t">2020-06-25</SPAN> <SPAN class="t">04:52:10.062</SPAN><SPAN> +</SPAN><SPAN class="t">0700</SPAN> <SPAN class="t">60198</SPAN> <SPAN class="t">INFO</SPAN> <SPAN class="t">null:</SPAN> <SPAN class="t">MnT</SPAN> <SPAN class="t">purge</SPAN> <SPAN class="t">event</SPAN> <SPAN class="t">occurred</SPAN><SPAN>, </SPAN><SPAN class="t">MESSAGE=purging</SPAN> <SPAN class="t">Tacacs</SPAN> <SPAN class="t">data</SPAN> <SPAN class="t">older</SPAN> <SPAN class="t">than</SPAN> <SPAN class="t">26-MAY-20,</SPAN></P><P><SPAN class="t">Is there anyway to forward the AAA logs to Splunk? I am using ISE version 2.3.0.298. Thank you.</SPAN></P> Thu, 25 Jun 2020 03:42:12 GMT https://community.cisco.com/t5/network-access-control/forwarding-ise-authentication-logging-to-splunk/m-p/4109084#M561401 fdharmawan 2020-06-25T03:42:12Z https://community.cisco.com/t5/network-access-control/forwarding-ise-authentication-logging-to-splunk/m-p/4109277#M561411 Make sure you update the logging categories in ISE to add the new target (splunk). This should assist you in your journey: <A href="http://www.network-node.com/blog/2017/7/2/integrating-ise-with-splunk" target="_blank">http://www.network-node.com/blog/2017/7/2/integrating-ise-with-splunk</A><BR />HTH! Thu, 25 Jun 2020 12:41:49 GMT https://community.cisco.com/t5/network-access-control/forwarding-ise-authentication-logging-to-splunk/m-p/4109277#M561411 Mike.Cifelli 2020-06-25T12:41:49Z