cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

69
Views
0
Helpful
2
Replies
Enthusiast

ISE Logging, Retention, and archiving

I am curious to understand more about the options of how to retain logs for more than a few days and what ability there is to archive to something like an S3 bucket. 

 

I am trying to retain about 30-60 days of logs especially tacacs logins, and tacacs command accounting. 

 

What are people doing? I am running ISE 2.2 on VM. 

2 REPLIES 2
Beginner

Re: ISE Logging, Retention, and archiving

Unless you have a small appliance and a crazy amount of activity, the ISE database should be able to hold more than a few days of logging data.  Unless you have your operational data purging configured to a small number of days.  What most customers do is forward Syslog events for authentication to a Syslog server to keep it for audit/compliance reasons.  Usually the Security teams want those logs anyway for their SIEM tools.  Configure an external Syslog server and then configure which types of logs you want to send to that server.

The other way is to do a daily backup of the operational data to an SFTP, FTP, NFS, or other server/repository.  But that data is not as easy to parse as Syslog is.  That is more so in case you have to rebuild your ISE environment and want to restore the operational data.  Syslog is what you are looking for.

VIP Advocate

Re: ISE Logging, Retention, and archiving

ISE isn't great as a long term log storage platform, however you can still modify the length of log storage from the following page.
https://<ise IP>/admin/#administration/administration_system/administration_system_backup/data_purging


You can send logs to an external syslog server and I would say it is more commonly done than adjusting the internal logging retention period. The downside to the retention period is that ISE will automatically start purging before the days specified if it is running out of storage. This is automated and to protect ISE from running out of logging space.

To send logs for remote storage you would first define a remote log target here.
https://<ise IP>/admin/#administration/administration_system/administration_system_logging/remote_log

Then assign the new log target/server to categories you want to forward here.
https://<ise IP>/admin/#administration/administration_system/administration_system_logging/logging_categories