Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1828
Views
10
Helpful
4
Replies

How to check logs for system changes

Go to solution
techmgr.aballesteros
Level 1
Level 1

‎08-08-2019 09:30 PM - edited ‎08-08-2019 09:36 PM

Hi gents,

 

Can you please help me how to figure out how exactly to check system changes and logs in ISE 2.4. 

For e.g. I want to know how a Network Access User (name: APISponsorMgr   see attached file) under Identity Management was disabled 5 days ago. It was originally enabled, I just re-enable it today.

 

 

 

Preview file
26 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎08-09-2019 06:30 AM

Interesting.  I just checked this out, using ISE 2.4 Patch 9.

 

First, I created the user APISponsorMgr and while creating I set the password and Administrator Group (ERS Admin).  I then went to Operations > Reports > Audit > Change Configuration Audit, and I can see the creation of the account as shown below.

 

ChangeConfigAudit1.png

 

Great, this is working as expected, so I disabled the account and checked the Change Configuration Audit report again, but there was no change.  I tried the following:

  • Refreshed the page
  • Closed the browser window and tried again
  • Tried different browsers (Chrome, Firefox, Edge)

to no avail.

Clicking the links for Changed Configuration in the report only show the password being set and the group assigned (after the initial creation)

 

ChangeConfigAudit2.pngChangeConfigAudit3.png

 

Checking the Operations > Reports > Audit > Internal Administrator Summary didn't help either.  Selecting the Configuration changes icon under the admin I used to create and disable the account only brought me back to the Change Configuration Audit, but only for that admin and with no additional information.  It seems there is no way to actually audit the changes to internal users other than creation and deletion.

 

ChangeConfigAudit4.png

 

I suggest working with TAC to file an enhancement request.

View solution in original post

4 Replies 4

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎08-09-2019 06:30 AM

Interesting.  I just checked this out, using ISE 2.4 Patch 9.

 

First, I created the user APISponsorMgr and while creating I set the password and Administrator Group (ERS Admin).  I then went to Operations > Reports > Audit > Change Configuration Audit, and I can see the creation of the account as shown below.

 

ChangeConfigAudit1.png

 

Great, this is working as expected, so I disabled the account and checked the Change Configuration Audit report again, but there was no change.  I tried the following:

  • Refreshed the page
  • Closed the browser window and tried again
  • Tried different browsers (Chrome, Firefox, Edge)

to no avail.

Clicking the links for Changed Configuration in the report only show the password being set and the group assigned (after the initial creation)

 

ChangeConfigAudit2.pngChangeConfigAudit3.png

 

Checking the Operations > Reports > Audit > Internal Administrator Summary didn't help either.  Selecting the Configuration changes icon under the admin I used to create and disable the account only brought me back to the Change Configuration Audit, but only for that admin and with no additional information.  It seems there is no way to actually audit the changes to internal users other than creation and deletion.

 

ChangeConfigAudit4.png

 

I suggest working with TAC to file an enhancement request.

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Charlie Moreton

‎08-09-2019 09:10 AM

I had the same "lack of results" as you when I looked last night, a ghost change.

Go to solution
techmgr.aballesteros
Level 1
Level 1
In response to Charlie Moreton

‎08-11-2019 08:43 PM - edited ‎08-11-2019 08:46 PM

@Charlie, thanks for confirming this, very thorough!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents