cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

124
Views
5
Helpful
5
Replies
Beginner

Change Configuration Audit report in Cisco ISE

I am looking for Configuration change report in ISE. When I execute report it is full with below two events

 

'Shutdown secure connection with TLS peer'

'Open secure connection with TLS peer'

 

So even single day report is of 300Mb with lots of unwanted events. is there any way to edit this report to log only configuration changes.

 

I am using ISE on 2.4.0.357 Patch 5

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Change Configuration Audit report in Cisco ISE

I just looked at the message catalog and those TLS messages are part of the "Administrative and Operational Audit" category at the INFO level.  That is why they are showing up in the report.  There really isn't much you can do other than try the "Advanced Filter" on the report and filter out those message types.  Then save it in "My Reports".  

5 REPLIES 5
Beginner

Re: Change Configuration Audit report in Cisco ISE

What report are you looking at in ISE?

The configuration changes report is under Operations->Reports->Reports->Audit->Change Configuration Audit.  That shows any changes made to the system by administrators or even the system itself such as posture updates or profiler feed updates.  Once you have the report open, you can use the quick filters to filter in on what you want.  If it is still too much to go through, you can export the report to CSV and use Excel to massage it to your liking.

Beginner

Re: Change Configuration Audit report in Cisco ISE

Thanks for the reply, Yes I am looking for the configuration changes in ISE by administrator or system itself. I exported this port for 1 days and I can see around 1048575 entry in that cvs and out of those only 1 was for configuration change and remaining entry are related to connection with TLS peer. please find below table,

Row LabelsCount of 'LOGGED AT'Grand Total1048575

'Changed configuration'1
'Open secure connection with TLS peer'526108
'Shutdown secure connection with TLS peer'522466

 

so question is why are we getting connection with TLS peer logs in configuration change audit? is there any way to suppress this event. as when I try to export this report for last 7 days it is taking forever.  Hence trying to find out if any way to modify report or create custom report to have only configuration changes for the change management compliance audit.

Beginner

Re: Change Configuration Audit report in Cisco ISE

I just looked at the message catalog and those TLS messages are part of the "Administrative and Operational Audit" category at the INFO level.  That is why they are showing up in the report.  There really isn't much you can do other than try the "Advanced Filter" on the report and filter out those message types.  Then save it in "My Reports".  

Beginner

Re: Change Configuration Audit report in Cisco ISE

Yes I checked but is there any way to suppress that log or separate that to some different logs. I really don't see any login to have TLS logs in configuration audit logs. Configuration audit should show only confrontational changes. and for your information in advance filter you can not set based on "Even ID" it is based on Admin, PSN node, Object type and Object Node." so even advance filter is not helpful.
Everyone's tags (2)
Highlighted
Beginner

Re: Change Configuration Audit report in Cisco ISE

This would have to be submitted as a bug or enhancement request.  I do agree with you that the report should only include actual configuration changes and not connection events.  Open a TAC case and have them file a bug.