topic Re: Is it still relevant to send switch syslogs to ISE 2.x/3.x? in Network Access Control

Is it still relevant to send switch syslogs to ISE 2.x/3.x?

Arne Bier — Wed, 31 Aug 2022 00:23:01 GMT

Hello,

Anyone know exactly what the benefit was of configuring a Cisco switch to send the switch SYSLOGs to ISE?

I see it mentioned in older documentation and blogs:

What did ISE do with those SYSLOGs? Does this add any information to the LiveLogs, or Endpoint debugs etc.?

Is there any benefit in sending SYSLOGs to ISE 2.x/3.x ?

regards

Arne

Re: Is it still relevant to send switch syslogs to ISE 2.x/3.x?

Greg Gibbs — Thu, 01 Sep 2022 22:43:05 GMT

Sending switch syslog to ISE was only ever to aid in troubleshooting. I think the consumed syslog data would supplement some of the reports or troubleshooting tools, but I never really found it useful. The only real detail I can find is in the old 2.1 'TrustSec How-To Guide' that I still have saved.

Syslog may be generated on Cisco IOS® Software in many events. Some of the syslog messages can be sent to Cisco ISE to be used for troubleshooting.
...

Set up standard logging functions on the switch to support possible troubleshooting / recording for Cisco ISE functions. The Enforcement Policy Module (EPM) is a part of the Cisco IOS Software responsible for features such as web authentication and downloadable ACL.
Enabling EPM logging generates a syslog related to downloadable ACL authorization, and part of the log can be correlated inside Cisco ISE when such logs are sent to Cisco ISE.
...
Only the following NAD syslog messages are actually collected and used by Cisco ISE:
- AP-6-AUTH_PROXY_AUDIT_START
- AP-6-AUTH_PROXY_AUDIT_STOP
- AP-1-AUTH_PROXY_DOS_ATTACK
- AP-1-AUTH_PROXY_RETRIES_EXCEEDED
- AP-1-AUTH_PROXY_FALLBACK_REQ
- AP-1-AUTH_PROXY_AAA_DOWN
- AUTHMGR-5-MACMOVE
- AUTHMGR-5-MACREPLACE
- MKA-5-SESSION_START
- MKA-5-SESSION_STOP
- MKA-5-SESSION_REAUTH
- MKA-5-SESSION_UNSECURED
- MKA-5-SESSION_SECURED
- MKA-5-KEEPALIVE_TIMEOUT
- DOT1X-5-SUCCESS / FAIL
- MAB-5-SUCCESS / FAIL
- AUTHMGR-5-START / SUCCESS / FAIL
- AUTHMGR-SP-5-VLANASSIGN / VLANASSIGNERR
- EPM-6-POLICY_REQ
- EPM-6-POLICY_APP_SUCCESS / FAILURE
- EPM-6-IPEVENT:
- DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND
- RADIUS-4-RADIUS_DEAD

Re: Is it still relevant to send switch syslogs to ISE 2.x/3.x?

Marcelo Morais — Thu, 01 Sep 2022 23:58:29 GMT

Hi @Arne Bier ,

I understand that your question is related to "benefits", but I would like to add that:

" ... As a best practice, do NOT configure Network Devices to send Syslogs to a Cisco ISE Monitoring and Troubleshooting (MnT) Node as this could result in the loss of some Network Access Device (NAD) Syslogs, and overloads the MnT Servers resulting in loading issues... " (please take a look at ISE Administration Guide).

Hope this helps !!!

Re: Is it still relevant to send switch syslogs to ISE 2.x/3.x?

Arne Bier — Fri, 02 Sep 2022 00:33:57 GMT

thanks @Greg Gibbs - those events look quite useful to be honest. But if they are buried somewhere in text file logs (and not enhancing the Web UI user experience) then it's probably not worth bothering with.

Re: Is it still relevant to send switch syslogs to ISE 2.x/3.x?

Arne Bier — Fri, 02 Sep 2022 00:41:11 GMT

thanks @Marcelo Morais - when they use words like "could result" then I am still none the wiser.

and if you read further below, the guide contradicts itself

If the Monitoring node is configured as the syslog server for a network device, ensure that the logging source sends the correct network access server (NAS) IP address in the following format:

<message_number>sequence_number: NAS_IP_address: timestamp: syslog_type: <message_text>

Otherwise, this might impact functionalities that depend on the NAS IP address.

It's probably safe to say that nobody should do this because it's a legacy feature and the world was a different place when ISE 1.x was around.