Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
1
Helpful
3
Replies

Can ISE Administrator Login Reports go beyond 30 days?

Arne Bier
VIP
VIP

‎08-08-2023 06:30 PM

Hello,

Is there a way to retain the ISE Admin logins for longer than 30 days? I can't find this in the GUI. I am only able to set the TACACS and RADIUS retention in days.

The reason for this question, is that I wanted to see who has logged into the admin node further back than the 30 days allowed. Even with an Advanced Filter in the Operations > Reports > Audit > Administrator Logins set to go back 60 days, I only see the last 30 days. Besides the fact that the "Operations Report" only allows a max of 100 rows.  

I also can't tell if Log Analytics feature in 3.2+ allows me to create such a custom search and export?  I enjoyed Clark Gambrel's Cisco Live BRKSEC-2897 session and he seemed to hint that the Elastic Search might one day offer this? (i.e. he shows the new Data Connect feature using Elastic Search in a browser instead of having to build SQL queries) - his session is probably one of the best ISE sessions from Vegas this year ... IMHO.

0 Helpful
3 Replies 3

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-09-2023 03:40 AM

Hi @Arne Bier,

I've just checked one of my ISEs, and with Advanced Filter/Custom range, I can see logs within specifi period. Something like:

Milos_Jovanovic_0-1691577482103.png

I also see more than 100 rows. This is on ISE v3.1p6. I can't check currently on newer release, but I would expect this to work as for any other report.

Kind regards,
Milos

Arne Bier
VIP
VIP

‎08-09-2023 03:09 PM

Hi @Milos_Jovanovic 

You're right about the "more than 100" rows part. I wasn't getting enough hits to see that option. But I went onto a more busy ISE deployment and ran the Advanced Filter and found hundreds of hits.

BUT. And this part is the crux of my question: why can't ISE Admin Login Reports go beyond 30 days?  Sure, you can set the filter to start from 1 Jan 2023 and end 10 August 2023, but the results never go back further than 30 days. Which made me ask the question about being able to set a custom purge range for ISE Admin Logins.

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Arne Bier

‎08-10-2023 02:47 AM

Hey,

I've managed to check on v3.2 and I also can't see any Admin logs beyond 30 days, so I would say it is related to SW version. Unfortunatelly, most of my customers are on v3.1, so I don't have multiple references to confirm.

Kind regards,
Milos

0 Helpful
Customers Also Viewed These Support Documents