cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
666
Views
2
Helpful
3
Replies

Can ISE Administrator Login Reports go beyond 30 days?

Arne Bier
VIP
VIP

Hello,

Is there a way to retain the ISE Admin logins for longer than 30 days? I can't find this in the GUI. I am only able to set the TACACS and RADIUS retention in days.

The reason for this question, is that I wanted to see who has logged into the admin node further back than the 30 days allowed. Even with an Advanced Filter in the Operations > Reports > Audit > Administrator Logins set to go back 60 days, I only see the last 30 days. Besides the fact that the "Operations Report" only allows a max of 100 rows.  

I also can't tell if Log Analytics feature in 3.2+ allows me to create such a custom search and export?  I enjoyed Clark Gambrel's Cisco Live BRKSEC-2897 session and he seemed to hint that the Elastic Search might one day offer this? (i.e. he shows the new Data Connect feature using Elastic Search in a browser instead of having to build SQL queries) - his session is probably one of the best ISE sessions from Vegas this year ... IMHO.

3 Replies 3

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @Arne Bier,

I've just checked one of my ISEs, and with Advanced Filter/Custom range, I can see logs within specifi period. Something like:

Milos_Jovanovic_0-1691577482103.png

I also see more than 100 rows. This is on ISE v3.1p6. I can't check currently on newer release, but I would expect this to work as for any other report.

Kind regards,
Milos

Arne Bier
VIP
VIP

Hi @Milos_Jovanovic 

You're right about the "more than 100" rows part. I wasn't getting enough hits to see that option. But I went onto a more busy ISE deployment and ran the Advanced Filter and found hundreds of hits.

BUT. And this part is the crux of my question: why can't ISE Admin Login Reports go beyond 30 days?  Sure, you can set the filter to start from 1 Jan 2023 and end 10 August 2023, but the results never go back further than 30 days. Which made me ask the question about being able to set a custom purge range for ISE Admin Logins.

Hey,

I've managed to check on v3.2 and I also can't see any Admin logs beyond 30 days, so I would say it is related to SW version. Unfortunatelly, most of my customers are on v3.1, so I don't have multiple references to confirm.

Kind regards,
Milos