https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4957641#M585148 <P>When configured with a remote logging target, all ISE nodes will directly send syslog to the external target. The PSNs will send endpoint session-related logs directly to the target and all nodes will send health-related logs directly to the target.</P> Sun, 12 Nov 2023 23:28:28 GMT Greg Gibbs 2023-11-12T23:28:28Z https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4957625#M585142 <P>Hi,<BR /><BR />I need to integrate ISE to send logs to SIEM.<BR />I have a distributed large deployment, one VM for each ISE persona.<BR /><BR />My doubt is the following:<BR />1. Which IP address should I configure on SIEM? <STRONG>Only MnT nodes</STRONG>? or all Cisco ISE nodes?</P><P>2. Which ISE node will send logs to SIEM?</P><P>&nbsp;</P> Sun, 12 Nov 2023 22:01:16 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4957625#M585142 iran 2023-11-12T22:01:16Z https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4957641#M585148 <P>When configured with a remote logging target, all ISE nodes will directly send syslog to the external target. The PSNs will send endpoint session-related logs directly to the target and all nodes will send health-related logs directly to the target.</P> Sun, 12 Nov 2023 23:28:28 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4957641#M585148 Greg Gibbs 2023-11-12T23:28:28Z https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4958287#M585161 <P>Hello, Thank you.<BR /><BR />I am still with doubts about which IP addresses should I add on SIEM server configuration and allow firewall rules.<BR /><BR />My initial understanding was that there is only need to add <STRONG>MnT IP addresses</STRONG> on SIEM configuration. Please, let me know if this is not correct.<BR /><BR />Since all the logs are sent to MnT, I am assuming that MnT has the needed information to send to the SIEM<BR /><BR /><BR /><BR /><BR /><BR /><BR /></P> Mon, 13 Nov 2023 15:10:05 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4958287#M585161 iran 2023-11-13T15:10:05Z https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4958338#M585162 <P>I use splunk as remoting logging target and configure all ISE nodes to communicate with splunk SIEM.</P> Mon, 13 Nov 2023 16:25:02 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4958338#M585162 adamscottmaster2013 2023-11-13T16:25:02Z https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4958360#M585165 <P>That is the case unless you configure an external logging target. When you configure the external logging target all ISE nodes that would have generated and sent the logs to the MnT will start sending their logs to the external logging target.</P> Mon, 13 Nov 2023 17:12:15 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4958360#M585165 Aref Alsouqi 2023-11-13T17:12:15Z https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4958495#M585166 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1051287">@iran </a>&nbsp;... to be very clear, the MnT nodes DO NOT 'roll-up' logs sent from the other nodes and send them to the external syslog/SIEM server. As I stated before, all nodes will source their relevant syslog messages directly to the external target.</P> Mon, 13 Nov 2023 21:10:31 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-remote-target-logging-siem/m-p/4958495#M585166 Greg Gibbs 2023-11-13T21:10:31Z