topic Re: Cisco ISE in Network Access Control

Cisco ISE

Amen — Thu, 16 Dec 2021 16:03:29 GMT

I'm looking for some assistance please. I'm struggling to find a table which details what each log file's purpose is on the CLI. For example:

What log files must I look at to troubleshoot active directory issues?

What log files must I look at to troubleshoot replication issues across the ISE deployment?

What log files must I look at to troubleshoot patch upgrade status on a particular node?

I'm looking for something like this:

Log file name	Function/purpose
replication.log	All replication status/updates that happen throughout the ISE deployment and any errors that might occur.

This information would need to cover both system and application based logs.

Can someone point me in the right direction please?

Re: Cisco ISE

Arne Bier — Thu, 16 Dec 2021 21:19:05 GMT

Hello @Amen

The closest I have found and used in the past is this link here. It tells you which debugs to enable per problem category.

You can always tail the log output on the CLI instead of downloading the support bundle.

show logging application

and then tail the file you're debugging on

 show logging application ise-psc.log tail

Re: Cisco ISE

Amen — Fri, 17 Dec 2021 08:00:04 GMT

your answer is perfect if the issue is still happening, but what if i want to know the root cause like for example why

ISE Primary PAN did not sync secondary PAN about the new trusted certificates ? I solved the issue by doing a manel sync up but i want to know why this happened?

where i can check for that?

Thank you so much for your support

Re: Cisco ISE

Arne Bier — Fri, 17 Dec 2021 20:18:23 GMT

If you're looking at root cause analysis then you can still use that Cisco link as a guide to find your way through the various log files ISE creates. ISE is constantly logging something. And the logs can be downloaded individually from the UI

Operations >Troubleshoot > Download Logs > Debug Logs

Or download a bunch of logs called a Support Bundle

Operations >Troubleshoot > Download Logs > Support Bundle (tick the boxes, choose a date range)

If you're lucky enough, then the default logging level (normally "INFORMATIONAL") will provide some clues (assuming you have found the appropriate log file). But most of the time, INFO level won't tell you enough. So you need to crank up the Log Level to more detailed level - e.g. DEBUG (used in TAC cases). Then wait for the problem to happen again.

If you're a curious and patient person, then perhaps you'll find some clues. But I would recommend opening a TAC case - TAC engineers have tools to sift through the debugs and provide better insights - because they may have seen this problem before.