Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1557
Views
0
Helpful
4
Replies

ISE 2.1 and Windows 2012R2 Log collector

Ptomic
Level 1
Level 1

‎12-09-2019 02:50 PM - edited ‎02-21-2020 11:12 AM

Hello, dear friends. I need a help with solving one problem. 

We have ISE 2.1, and we implemented Windows Server 2019 Core version as DC's. 

Because 2.1 supports up to WS2012R2 only, we got into a trouble. To solve this problem we implemented WS2012R2 as to represent Log Collector for Security logs from our DC's. 

Now we need to force our ISE to read Logs from our Log Collector and doesn't have any idea how to do that. 

Any help is appreciated. 

 

Thank you in advance. 

0 Helpful
4 Replies 4

hslai
Cisco Employee
Cisco Employee

‎12-11-2019 10:20 PM

If the log collector is a Domain Controller and a Windows Event Collector (WEC) server you may set the destination to either System or Application. Then, configure ISE to use this server as a WMI provider as in Manage Users and External Identity Sources > Manage the Active Directory Provider

 

0 Helpful

Ptomic
Level 1
Level 1
In response to hslai

‎12-12-2019 01:08 AM

Log collector and DC’s are different servers. 
DC’s are Windows Server 2019, and Log Collector is 2012R2, because ISE 2.1 supports up to 2012R2. 
We need a help getting to find solution how to force ISE to get logs from Log Collector. 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Ptomic

‎12-14-2019 02:53 PM

Please take time and plan upgrade your ISE deployment. Cisco Identity Services Engine Software Version 2.1 Product Bulletin says, "... ISE 2.1 will reach end of support at March 17th 2020. ... "

Unfortunately the Active Directory providers in ISE (or ISE PIC) can only be domain controllers. There is also a limit that ISE needs to be in the same site (See CSCvo31822).

I do not see a problem of ISE 2.1 to work with a later Microsoft Windows Server releases, such as 2016 or 2019, although our teams did not test such combinations specifically. The issues might be more around server core option without desktop experience, because we have not tested that, to my knowledge.

If you are really unable to use the active directory providers, then consider other providers. Some of our customers forward the Windows events to some 3rd-party application which in turn forward the events as syslog to ISE. In such case, we configure the 3rd-party as a syslog provider and create a syslog regex template to parse the events.

0 Helpful

Ptomic
Level 1
Level 1
In response to hslai

‎12-15-2019 10:28 PM

I will install SysLog then.

Can you help me with reqex template and configuring ISE to use this SysLog provider ?

 

0 Helpful
Customers Also Viewed These Support Documents