cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

110
Views
10
Helpful
4
Replies

How to check logs for system changes

Hi gents,

 

Can you please help me how to figure out how exactly to check system changes and logs in ISE 2.4. 

For e.g. I want to know how a Network Access User (name: APISponsorMgr   see attached file) under Identity Management was disabled 5 days ago. It was originally enabled, I just re-enable it today.

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How to check logs for system changes

Interesting.  I just checked this out, using ISE 2.4 Patch 9.

 

First, I created the user APISponsorMgr and while creating I set the password and Administrator Group (ERS Admin).  I then went to Operations > Reports > Audit > Change Configuration Audit, and I can see the creation of the account as shown below.

 

ChangeConfigAudit1.png

 

Great, this is working as expected, so I disabled the account and checked the Change Configuration Audit report again, but there was no change.  I tried the following:

  • Refreshed the page
  • Closed the browser window and tried again
  • Tried different browsers (Chrome, Firefox, Edge)

to no avail.

Clicking the links for Changed Configuration in the report only show the password being set and the group assigned (after the initial creation)

 

ChangeConfigAudit2.pngChangeConfigAudit3.png

 

Checking the Operations > Reports > Audit > Internal Administrator Summary didn't help either.  Selecting the Configuration changes icon under the admin I used to create and disable the account only brought me back to the Change Configuration Audit, but only for that admin and with no additional information.  It seems there is no way to actually audit the changes to internal users other than creation and deletion.

 

ChangeConfigAudit4.png

 

I suggest working with TAC to file an enhancement request.

4 REPLIES 4
Cisco Employee

Re: How to check logs for system changes

Interesting.  I just checked this out, using ISE 2.4 Patch 9.

 

First, I created the user APISponsorMgr and while creating I set the password and Administrator Group (ERS Admin).  I then went to Operations > Reports > Audit > Change Configuration Audit, and I can see the creation of the account as shown below.

 

ChangeConfigAudit1.png

 

Great, this is working as expected, so I disabled the account and checked the Change Configuration Audit report again, but there was no change.  I tried the following:

  • Refreshed the page
  • Closed the browser window and tried again
  • Tried different browsers (Chrome, Firefox, Edge)

to no avail.

Clicking the links for Changed Configuration in the report only show the password being set and the group assigned (after the initial creation)

 

ChangeConfigAudit2.pngChangeConfigAudit3.png

 

Checking the Operations > Reports > Audit > Internal Administrator Summary didn't help either.  Selecting the Configuration changes icon under the admin I used to create and disable the account only brought me back to the Change Configuration Audit, but only for that admin and with no additional information.  It seems there is no way to actually audit the changes to internal users other than creation and deletion.

 

ChangeConfigAudit4.png

 

I suggest working with TAC to file an enhancement request.

Highlighted
VIP Engager

Re: How to check logs for system changes

I had the same "lack of results" as you when I looked last night, a ghost change.

Re: How to check logs for system changes

 

Re: How to check logs for system changes

@charlie, thanks for confirming this, very thorough!