Hi Cisco, Hi Community,
One of my clients has exactly the same requirement.
In our deployment we have 16 ISE Nodes in 7 Locations with several hundred Cisco switches as NADs.
TACACS authentication, command authorization and command accounting is configured.
The switches are polled regularly by machines (Cisco DNA Center, Cisco Prime, Kiwi Cattools).
The commands issued by these systems again and again produce about 0,5-1Gigabyte logs per day !
Most of it results from DNA Centers' commands.
There seems not much benefit to log and backup many Gigabytes of DNAC Command logs day by day.
Goal is to reduce the amount of log data and the size of Backups.
Using ISE collection filters and "Policy Set Name" as attribute to filter on,
I had limited success filtering authentication and authorization logs.
But accounting messages do not have a policy set associated;
and even with username attribute as filter, it looks like the collection filters
do not process and filter accounting messages.
Didn't find anything in Docs or Bug Toolkit.
Is this a known behavior / bug ?
Collection Filters should process and filter accounting messages as well.
Additionally, it would be great to have "TACACS-Remote-Address" as filter criteria.
Any chance to get that implemented ?
Frank