Can ISE Administrator Login Reports go beyond 30 days?

Arne Bier · ‎08-08-2023

Hello,

Is there a way to retain the ISE Admin logins for longer than 30 days? I can't find this in the GUI. I am only able to set the TACACS and RADIUS retention in days.

The reason for this question, is that I wanted to see who has logged into the admin node further back than the 30 days allowed. Even with an Advanced Filter in the Operations > Reports > Audit > Administrator Logins set to go back 60 days, I only see the last 30 days. Besides the fact that the "Operations Report" only allows a max of 100 rows.

I also can't tell if Log Analytics feature in 3.2+ allows me to create such a custom search and export? I enjoyed Clark Gambrel's Cisco Live BRKSEC-2897 session and he seemed to hint that the Elastic Search might one day offer this? (i.e. he shows the new Data Connect feature using Elastic Search in a browser instead of having to build SQL queries) - his session is probably one of the best ISE sessions from Vegas this year ... IMHO.

Milos_Jovanovic · ‎08-09-2023

Hi @Arne Bier,

I've just checked one of my ISEs, and with Advanced Filter/Custom range, I can see logs within specifi period. Something like:

I also see more than 100 rows. This is on ISE v3.1p6. I can't check currently on newer release, but I would expect this to work as for any other report.

Kind regards,
Milos

Arne Bier · ‎08-09-2023

Hi @Milos_Jovanovic

You're right about the "more than 100" rows part. I wasn't getting enough hits to see that option. But I went onto a more busy ISE deployment and ran the Advanced Filter and found hundreds of hits.

BUT. And this part is the crux of my question: why can't ISE Admin Login Reports go beyond 30 days? Sure, you can set the filter to start from 1 Jan 2023 and end 10 August 2023, but the results never go back further than 30 days. Which made me ask the question about being able to set a custom purge range for ISE Admin Logins.

Milos_Jovanovic · ‎08-10-2023

Hey,

I've managed to check on v3.2 and I also can't see any Admin logs beyond 30 days, so I would say it is related to SW version. Unfortunatelly, most of my customers are on v3.1, so I don't have multiple references to confirm.

Kind regards,
Milos

Feds · ‎07-02-2025

Hi @Arne Bier ,

Did you find an answer for this?
There are a couple of places where logging retention is set, and for 3.2 p7 these are in Administration>System>Logging>Log settings, "Local Log Storage period" and the other for RADIUS/TACACS logs in Administration>System>Maintenance>Operational Data Purging, "Data Retention Period".
Not sure where Admin Audit logs are stored but likely the "Local Logs".
I believe some logs can also be accessed via CLI, "show logging <application|system|etc> ...." but not sure if Admin Audit is there and I don't have time now to check.

Re using the advanced filter and specifying a time > 30 days, I believe this would work only if retention is > 30 days also, may need to check this too. Sorry, no answers..

Cheers
FedS

Arne Bier · ‎07-02-2025

I just tried with dataconnect ODBC API, and I was able to get admin logins that were 80 (eighty) days old. Not sure what the oldest record should be, but this system has been running much longer than that. I think ISE has some kind of internal cut off point.

I used the iseql.py python script:

select * from administrator_logins order by timestamp