cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

208
Views
10
Helpful
4
Replies
Highlighted
Rising star

Can the default remote syslog targets remain unused for all logging categories?

Hi everyone,

 

New deployments include default secure syslog and UDP syslog categories.

 

1) If I'm interested in central logging to my MnT, can these remote syslog targets be unapplied to all logging categories? I would like the only remote syslog targets to by my custom external syslog servers.

 

2) At present each persona (PAN, PSN, MnT) sends syslogs to my customer external syslog server after having applied this external server to the logging categories. Intuitively I would have expected only the MnT to send syslog servers to remote targets. 

 

Are these duplicate records being sent by these different personas to the external syslog server? Is there any way to force all syslog traffic to be centralized at MnT and then sent to external syslog servers?

 

Thanks for your time!

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Can the default remote syslog targets remain unused for all logging categories?


1) If I'm interested in central logging to my MnT, can these remote syslog targets be unapplied to all logging categories? I would like the only remote syslog targets to by my custom external syslog servers.

No, such is not tested or supported. ISE deployments expect most the default categories sending events to MnT.

 

2) ... Are these duplicate records being sent by these different personas to the external syslog server? Is there any way to force all syslog traffic to be centralized at MnT and then sent to external syslog servers?


 

No, they are not duplicate events, but events generated by the individual ISE nodes and they are sent to any logging targets configured for the event categories. Although the events go to MnT due to the default logging targets, at present MnT does not forward the events it receives to an external syslog server and ISE has no setting to force such.

4 REPLIES 4
Cisco Employee

Re: Can the default remote syslog targets remain unused for all logging categories?


1) If I'm interested in central logging to my MnT, can these remote syslog targets be unapplied to all logging categories? I would like the only remote syslog targets to by my custom external syslog servers.

No, such is not tested or supported. ISE deployments expect most the default categories sending events to MnT.

 

2) ... Are these duplicate records being sent by these different personas to the external syslog server? Is there any way to force all syslog traffic to be centralized at MnT and then sent to external syslog servers?


 

No, they are not duplicate events, but events generated by the individual ISE nodes and they are sent to any logging targets configured for the event categories. Although the events go to MnT due to the default logging targets, at present MnT does not forward the events it receives to an external syslog server and ISE has no setting to force such.

Rising star

Re: Can the default remote syslog targets remain unused for all logging categories?

Thanks for the quick reply,

 

Can I unattach either the secure syslogs or the UDP syslogs for each logging category? For example make all syslog communication in the cluster either UDP, or Secure TCP, but not both? Having ports UDP 20514 and TCP 6514 open between all nodes seems somewhat redundant unless it's a design constraint.

Cisco Employee

Re: Can the default remote syslog targets remain unused for all logging categories?

You are correct on that only one of them needed. The default SecureSyslogCollector should either be disabled or configured with a proper CA certificate or it could cause CSCvk32508.

Rising star

Re: Can the default remote syslog targets remain unused for all logging categories?

Hello,

 

I've tried using only TCP syslog targets towards the MnT nodes (port TCP 1464) and nothing showed up in the Livelog for Tacacs+. In fact, wireshark shows that logs from port 1464 aren't sent from the PSN to the MnT at all. I've been able to use only UDP and SecureTCP, but not TCP. 

  

This is contrary to the documentation because the following link shows that the PSN can send syslogs to the MnT server in UDP_20514, TCP_1468, and TCP_6514:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

 

Any ideas why this could be? I'm running ISE 2.4 Patch 4.