https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703532#M577769 <P>Is there a way to troubleshoot or validate that Cisco ISE is sending syslogs to a "Remote Logging Target"?<BR />I'm trying to set this up with QRadar however its showing that its not receieving any logs from ISE. I've confirmed that IBM has ISE packages to support it but I'm concerned because it says it supports versions 1.1 to 2.2 (seems very dated). Im running 3.1P3 at the moment.&nbsp;I've setup the logging categories to include the new target but still no luck.&nbsp;There is no firewalls between ISE and QRadar.&nbsp;</P> Fri, 14 Oct 2022 18:22:49 GMT Lucas Borza 2022-10-14T18:22:49Z https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703532#M577769 <P>Is there a way to troubleshoot or validate that Cisco ISE is sending syslogs to a "Remote Logging Target"?<BR />I'm trying to set this up with QRadar however its showing that its not receieving any logs from ISE. I've confirmed that IBM has ISE packages to support it but I'm concerned because it says it supports versions 1.1 to 2.2 (seems very dated). Im running 3.1P3 at the moment.&nbsp;I've setup the logging categories to include the new target but still no luck.&nbsp;There is no firewalls between ISE and QRadar.&nbsp;</P> Fri, 14 Oct 2022 18:22:49 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703532#M577769 Lucas Borza 2022-10-14T18:22:49Z https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703535#M577770 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1419709">@Lucas Borza</a> run tcpdump on ISE and filter on the syslog IP address to determine whether ISE attempts to communicate.</P> Fri, 14 Oct 2022 18:26:41 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703535#M577770 Rob Ingram 2022-10-14T18:26:41Z https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703536#M577771 <P>This might sound silly, but I've tried that and its empty. The syslogs are sending in UDP. Would the TCP dump cover that?</P> Fri, 14 Oct 2022 18:27:33 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703536#M577771 Lucas Borza 2022-10-14T18:27:33Z https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703539#M577772 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1419709">@Lucas Borza</a> have you assigned the remote logging server as a target under the required logging categories?</P> Fri, 14 Oct 2022 18:36:12 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703539#M577772 Rob Ingram 2022-10-14T18:36:12Z https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703544#M577773 <P>Yes. It turns out the team that manages QRadar had an error in their setup, and they resolved it. I would hope that the TCPDUMP would cover the UDP traffic to at least prove that I am sending the logs.&nbsp;&nbsp;</P> Fri, 14 Oct 2022 19:04:24 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703544#M577773 PRANetworkTeam 2022-10-14T19:04:24Z https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703708#M577775 <P data-source-line="1152">Covered in one of our <A href="https://cs.co/ise-webinars" target="_self">ISE Webinars</A>. Now available in the <A href="https://cs.co/ise-youtube" target="_self">CiscoISE YouTube Channel</A>.</P> <P data-source-line="1152"><STRONG>▶ <A class="" title="https://youtu.be/Y6F6XCLYUWA" href="https://youtu.be/Y6F6XCLYUWA" data-from-md="" target="_blank">ISE Initial Setup and Operations</A></STRONG></P> <P data-source-line="1166"><STRONG><A title="https://youtu.be/Y6F6XCLYUWA&amp;t=720s" href="https://youtu.be/Y6F6XCLYUWA&amp;t=720s" data-from-md="" target="_blank">12:00</A></STRONG> Syslogs and Remote Logging Targets<BR /><STRONG><A title="https://youtu.be/Y6F6XCLYUWA&amp;t=909s" href="https://youtu.be/Y6F6XCLYUWA&amp;t=909s" data-from-md="" target="_blank">15:09</A></STRONG> Logging Categories and Example Syslogs<BR /><STRONG><A title="https://youtu.be/Y6F6XCLYUWA&amp;t=1025s" href="https://youtu.be/Y6F6XCLYUWA&amp;t=1025s" data-from-md="" target="_blank">17:05</A></STRONG> Authentication Syslogs from Meraki Dashboard<BR /><STRONG><A class="" title="https://youtu.be/Y6F6XCLYUWA&amp;t=1173s" href="https://youtu.be/Y6F6XCLYUWA&amp;t=1173s" data-from-md="" target="_blank">19:33</A></STRONG> Syslog Message Catalog and Export<BR /><STRONG><A title="https://youtu.be/Y6F6XCLYUWA&amp;t=1237s" href="https://youtu.be/Y6F6XCLYUWA&amp;t=1237s" data-from-md="" target="_blank">20:37</A></STRONG> Syslog Collection Filters</P> Sat, 15 Oct 2022 14:11:11 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703708#M577775 thomas 2022-10-15T14:11:11Z https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703718#M577776 <P>I'm thinking something is up with QRadar not showing the "Notice" syslogs. I have my logging categories setup correctly but I'm looking to see the authentication/authorization logs from every attempt. The goal is to have it so I can trigger an alert if a device is Anomalous or if it hits an Authorization Policy I set for quarantine. I saw in the documentation with QRadar they support versions 1.1 to 2.2 which I find it pretty dated. Maybe they don't accept all syslogs from ISE since I'm running 3.1P3.&nbsp;</P> Sat, 15 Oct 2022 15:17:36 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-syslog-target-capture/m-p/4703718#M577776 Lucas Borza 2022-10-15T15:17:36Z