topic Re: where can I find a log of failed logon attempt against ISE CLI? in Network Access Control

where can I find a log of failed logon attempt against ISE CLI?

tachyon05 — Tue, 04 Oct 2022 16:06:46 GMT

I would like to find out who or what is failing to logon to ISE CLI. It could be a security scanner but where can I find info like source IP date/time etc.?

Re: where can I find a log of failed logon attempt against ISE CLI?

davidgfriedman — Tue, 04 Oct 2022 16:39:10 GMT

Try:
# show logg system audit/audit.log | inc USER_LOGIN
then look for the lines ending:
exe="/usr/sbin/sshd" hostname=? addr=1.2.3.4 terminal=sshd res=failed'

Re: where can I find a log of failed logon attempt against ISE CLI?

tachyon05 — Tue, 04 Oct 2022 17:28:15 GMT

Thanks. That does seem to show some CLI logon attempts, but it looks like the aging policy on log is so aggressive that only the log only contains data for the last 5 or 10 minutes.

Re: where can I find a log of failed logon attempt against ISE CLI?

davidgfriedman — Tue, 04 Oct 2022 18:40:37 GMT

ok. I can see now that it rotates often:
ise1-pan-m01/comms# show logg system | i audit.log
3919548 Oct 04 2022 14:34:49 audit/audit.log
8388870 Oct 04 2022 13:28:40 audit/audit.log.1
8388732 Oct 04 2022 11:02:26 audit/audit.log.2
8388809 Oct 04 2022 08:38:46 audit/audit.log.3
8388625 Oct 04 2022 06:13:08 audit/audit.log.4
ise1-pan-m01/comms#

How about going to a linux host, starting "script", ssh'ing into the host, then issuing:
show logg system | i audit.log
Then you could keep it open for a few hours or a day to record the screen output, hit control-c to get out of it whenever you want, exit ssh, exit "script" and then grep whatever you want from the resulting "typescript" log file?

Or option 2:
list the files with show logg system | i audit.log
then for each file swap the filename but only search for failures, ex:
show logg system audit/audit.log | i res=failed
show logg system audit/audit.log.1 | i res=failed
show logg system audit/audit.log.2 | i res=failed
show logg system audit/audit.log.3 | i res=failed
show logg system audit/audit.log.4 | i res=failed

Re: where can I find a log of failed logon attempt against ISE CLI?

tachyon05 — Tue, 04 Oct 2022 19:57:45 GMT

Good to know. Thanks. I have 5 files also, and they span about 90 minutes.

Re: where can I find a log of failed logon attempt against ISE CLI?

hslai — Fri, 07 Oct 2022 00:01:31 GMT

ISE also has it in the Administrator Logins report under ISE admin web > menu > Operations > Reports > Reports > Audit.

Re: where can I find a log of failed logon attempt against ISE CLI?

tachyon05 — Fri, 07 Oct 2022 15:05:27 GMT

Hslai, thanks for sharing but it looks like the GUI report only shows successful logons. As a test, I intentionally attempted to logon to CLI using a wrong password, the GUI report doesn't show those attempts.