12-09-2019 02:50 PM - edited 02-21-2020 11:12 AM
Hello, dear friends. I need a help with solving one problem.
We have ISE 2.1, and we implemented Windows Server 2019 Core version as DC's.
Because 2.1 supports up to WS2012R2 only, we got into a trouble. To solve this problem we implemented WS2012R2 as to represent Log Collector for Security logs from our DC's.
Now we need to force our ISE to read Logs from our Log Collector and doesn't have any idea how to do that.
Any help is appreciated.
Thank you in advance.
12-11-2019 10:20 PM
If the log collector is a Domain Controller and a Windows Event Collector (WEC) server you may set the destination to either System or Application. Then, configure ISE to use this server as a WMI provider as in Manage Users and External Identity Sources > Manage the Active Directory Provider
12-12-2019 01:08 AM
Log collector and DC’s are different servers.
DC’s are Windows Server 2019, and Log Collector is 2012R2, because ISE 2.1 supports up to 2012R2.
We need a help getting to find solution how to force ISE to get logs from Log Collector.
12-14-2019 02:53 PM
Please take time and plan upgrade your ISE deployment. Cisco Identity Services Engine Software Version 2.1 Product Bulletin says, "... ISE 2.1 will reach end of support at March 17th 2020. ... "
Unfortunately the Active Directory providers in ISE (or ISE PIC) can only be domain controllers. There is also a limit that ISE needs to be in the same site (See CSCvo31822).
I do not see a problem of ISE 2.1 to work with a later Microsoft Windows Server releases, such as 2016 or 2019, although our teams did not test such combinations specifically. The issues might be more around server core option without desktop experience, because we have not tested that, to my knowledge.
If you are really unable to use the active directory providers, then consider other providers. Some of our customers forward the Windows events to some 3rd-party application which in turn forward the events as syslog to ISE. In such case, we configure the 3rd-party as a syslog provider and create a syslog regex template to parse the events.
12-15-2019 10:28 PM
I will install SysLog then.
Can you help me with reqex template and configuring ISE to use this SysLog provider ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide