topic Re: Log analytics with elk for monitoring reports in Network Access Control

Log analytics with elk for monitoring reports

jagritibhardwaj471 — Mon, 01 Apr 2024 06:21:04 GMT

In Ise version 3.3 there is a feature of System 360 that includes Monitoring and Log Analytics, with elk monitoring , I want to fetch the radius accounting logs for the last 90 days. Will this feature be able to fetch logs of last 90 days and if not , then logs of how many days can be retrieved using this feature?

Re: Log analytics with elk for monitoring reports

balaji.bandi — Mon, 01 Apr 2024 10:02:45 GMT

As per the i know ISE 3.3 Log analytics - how the system performing - check the admin guide - System 360

check the data retained as mentioned in the document.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_maintain_monitor.html#c_system360

Re: Log analytics with elk for monitoring reports

ahollifield — Mon, 01 Apr 2024 11:15:41 GMT

No, log analytics only has a 7 day retention time.

Re: Log analytics with elk for monitoring reports

Arne Bier — Mon, 01 Apr 2024 20:52:17 GMT

@jagritibhardwaj471 - I was also surprised to learn that Log Analytics only retains 7 days (I guess I should read that link in more detail) - perhaps the answer lies in the Data Connect feature (ODBC/JDBC) to fetch data from the MNTs using SQL queries.

Administration > System > Data Connect

There are SQL tools like SQuirreL SQL Client Home Page (sourceforge.io) or Download SQL Server Management Studio (SSMS) - SQL Server Management Studio (SSMS) | Microsoft Learn to visually inspect and fetch data from the ISE database when Data Connect is enabled.

Re: Log analytics with elk for monitoring reports

jagritibhardwaj471 — Tue, 02 Apr 2024 04:38:46 GMT

That means the only way to collect last 90 days radius accounting logs is via data connect ?? But in my case , we are working with Ise release 2.7 and data connect is a feature for versions starting from release 3.2 . Does that conclude that we have no other way to collect historic radius accounting logs apart from data connect ?

Re: Log analytics with elk for monitoring reports

ahollifield — Tue, 02 Apr 2024 10:35:57 GMT

<>
[logo-open-graph.gif]
Cisco Identity Services Engine 2.7 - End of Life Announcement for the Cisco Identity Services Engine Software Version 2.7<>
cisco.com<>
What is your use-case for needing 90 days of accounting logs? Why not use a Syslog collector instead?

Re: Log analytics with elk for monitoring reports

jagritibhardwaj471 — Tue, 02 Apr 2024 11:43:00 GMT

Actually my purpose is to collect the radius accounting logs of last 90 days , we have to generate reports according to that .

Re: Log analytics with elk for monitoring reports

ahollifield — Tue, 02 Apr 2024 12:15:39 GMT

Why? What value would RADIUS accounting give you? What exactly are you looking for in the accounting logs?

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

Re: Log analytics with elk for monitoring reports

jagritibhardwaj471 — Tue, 02 Apr 2024 12:18:20 GMT

My bad I was actually looking to get radius authentication logs and not radius accounting logs.

Re: Log analytics with elk for monitoring reports

ahollifield — Tue, 02 Apr 2024 12:52:57 GMT

Got it, this is where you should be sending Syslogs to an external Syslog server. ISE isn’t necessarily designed for long term data collection, reporting, correlation, etc this would be the job of a product such as Splunk or a SIEM.

Re: Log analytics with elk for monitoring reports

adamscottmaster2013 — Tue, 02 Apr 2024 20:19:03 GMT

Stay away from Splunk. It is an overprice product.

ElasticSearch is a good product, free because it is an opensource. You can purchase support if needed, so much cheaper than Splunk. Elastic Search is also running in Cisco ISE. If it is good enough for Cisco, it is good enough for most enterprise environment. Very easily deployed in AWS.