11-22-2016 05:56 AM
Good afternoon,
I'm working on a migration of TACACS+ from ACS 5.x to ISE2.x
There are over 25k devices in the network.
The current deployment of ACS has 1 primary to manage all the cluster and 6 secondary.
All logs are sent directly from the secondaries to Splunk.
Questions on ISE vs ACS behaviour?
1- are the accounting logs in the same format?
2- is it possible to send the logs from the PSN to Splunk bypassing the MnT node? The MnT function is not used anyway.
thanks
R.
Solved! Go to Solution.
11-22-2016 08:17 AM
Hi Raffaello,
To answer your question,
1. These are in syslog format but the fields used should be the same since these fields are part of the TACACS+ protocol
2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.
For ACS to ISE Migration, please use the ACS to ISE Migration community that has details with answers to top of the mind questions, differences between ACS vs ISE, demos, how to docs etc.,
Thanks
Krishnan
11-22-2016 08:17 AM
Hi Raffaello,
To answer your question,
1. These are in syslog format but the fields used should be the same since these fields are part of the TACACS+ protocol
2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.
For ACS to ISE Migration, please use the ACS to ISE Migration community that has details with answers to top of the mind questions, differences between ACS vs ISE, demos, how to docs etc.,
Thanks
Krishnan
11-23-2016 08:21 AM
2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.
2 reasons
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: