Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1061
Views
0
Helpful
4
Replies

ACS to ISE Migration MnT logging capacity

Go to solution
vmadriga
Cisco Employee
Cisco Employee

‎04-03-2018 09:21 PM

HI all

My customer is in the process of migrate ACS to ISE, they have some capacity issues with the current ACS deployment and we want to know if the migration with ISE will help them to solve the following:

1. The ACS is limited to 2M logs per day, there are some days where the customer reaches 3.5M or 4M per day and some logs are lost due to this limitation, it also takes a lot of time to perform a search or to display the logs.

2. The ACS /opt directory is limited in space and the customer is exceeding the recommended 30% every 2 weeks, the MnT node can allocate up to 60% of logging storage but I was wondering if the  new Large Virtual Machine for Monitoring Persona  will provide additional logging capacity in order to remove the logging limits of ACS and faster search times.


Any comments are really appreciated.


regards!


Vicente Madrigal

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-04-2018 06:48 AM

This all depends on how many transactions per second you have and also the size of your disk

Please take a look at the ise performance and scale page on the community, the High-level design document and also the Cisco live scaling ISE presentation by Craig Hyps which goes into the sizing calculations and the new super MNT which is basically a virtual machine with added CPU and memory to further increase the efficiency and robustness. You may not need to start with this so the recommendation would be to deploy with an iso so that later you could tweak your memory and CPU specifications.

If you want to set up for maximum log and capability and recommended to playing a disk size of up to 2 TB. Keep in mind you can’t change the disk size Once the system is installed. If customer wants even longer term repository then recommend offloading to an external system Because our system is a short-term repository and should not be used for long-term

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-04-2018 06:48 AM

This all depends on how many transactions per second you have and also the size of your disk

Please take a look at the ise performance and scale page on the community, the High-level design document and also the Cisco live scaling ISE presentation by Craig Hyps which goes into the sizing calculations and the new super MNT which is basically a virtual machine with added CPU and memory to further increase the efficiency and robustness. You may not need to start with this so the recommendation would be to deploy with an iso so that later you could tweak your memory and CPU specifications.

If you want to set up for maximum log and capability and recommended to playing a disk size of up to 2 TB. Keep in mind you can’t change the disk size Once the system is installed. If customer wants even longer term repository then recommend offloading to an external system Because our system is a short-term repository and should not be used for long-term

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎04-04-2018 08:44 AM

You can increase log retention capacity by increasing MnT disk allocation.  The Large MnT VM option in 2.4 will provide better performance and storage optimization, but focus of the enhancements is on RADIUS, not T+.   Regardless of super-sized 3595 VM or current 3595, you can allocate more disk at install time which makes the 60% allocation (not configurable) larger and thus capable of storing more logs.

0 Helpful

Go to solution
vmadriga
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎04-04-2018 03:45 PM

Thanks Jason/Craig for your answers,

There is only one more detail that I need to clarify and maybe you have some information, the ACS View can hold up to 2 million records daily which will correspond to 2GB of data, given Syslog message size around 1K, since my customer is exceeding amount of logs that can be processed and be shown immediately (3.5GB to 4GB of daily logs) the ACS viewer is lagging behind for more than hour with logging traffic and some times the information is never displayed

Do you know if MnT has a similar limitation in the amount of logs the system can process daily and display immediately? I am assuming that the new super MnT with the additional extra memory is capable of processing and displaying much more information than the ACS view with its 2GB of daily  data limits.

Any comments are really appreciated.

Regards!

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to vmadriga

‎04-04-2018 06:04 PM

3595-based MnT supports up to 20M messages per day.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents