Solved: Audit Alerting via ISE?

Isaac Smith · ‎07-02-2019

Is ISE able to alert (via email for example) if a specific command or commands are executed on a security device like a FW? We've been asked if we can be alerted if someone makes a change to the audit logging settings on a firewall (i.e. anything with the word "logging" in it). It was an ask for a NIST audit... If not elegantly, maybe i need to look to other tools.

Damien Miller · ‎07-02-2019

This is not a capability of ISE today and I wouldn't expect it to be added. The pre built alarms are the only email alerting ISE will send, https://<ISE IP>/admin/#administration/administration_system/administration_system_settings/alarm_settings. So this is something that requires an external system.

You would need to configure an external syslog server then forward the tacacs accounting syslog category to be sent to it. This is all done under the logging menu, remote logging targets and logging categories.
https://<ISE IP>/admin/#administration/administration_system/administration_system_logging/local_log

View solution in original post

Damien Miller · ‎07-02-2019

This is not a capability of ISE today and I wouldn't expect it to be added. The pre built alarms are the only email alerting ISE will send, https://<ISE IP>/admin/#administration/administration_system/administration_system_settings/alarm_settings. So this is something that requires an external system.

You would need to configure an external syslog server then forward the tacacs accounting syslog category to be sent to it. This is all done under the logging menu, remote logging targets and logging categories.
https://<ISE IP>/admin/#administration/administration_system/administration_system_logging/local_log