Solved: Can the default remote syslog targets remain unused for all logging categories?

Nadav · ‎11-02-2018

Hi everyone,

New deployments include default secure syslog and UDP syslog categories.

1) If I'm interested in central logging to my MnT, can these remote syslog targets be unapplied to all logging categories? I would like the only remote syslog targets to by my custom external syslog servers.

2) At present each persona (PAN, PSN, MnT) sends syslogs to my customer external syslog server after having applied this external server to the logging categories. Intuitively I would have expected only the MnT to send syslog servers to remote targets.

Are these duplicate records being sent by these different personas to the external syslog server? Is there any way to force all syslog traffic to be centralized at MnT and then sent to external syslog servers?

Thanks for your time!

hslai · ‎11-02-2018

1) If I'm interested in central logging to my MnT, can these remote syslog targets be unapplied to all logging categories? I would like the only remote syslog targets to by my custom external syslog servers.

No, such is not tested or supported. ISE deployments expect most the default categories sending events to MnT.

2) ... Are these duplicate records being sent by these different personas to the external syslog server? Is there any way to force all syslog traffic to be centralized at MnT and then sent to external syslog servers?

No, they are not duplicate events, but events generated by the individual ISE nodes and they are sent to any logging targets configured for the event categories. Although the events go to MnT due to the default logging targets, at present MnT does not forward the events it receives to an external syslog server and ISE has no setting to force such.

View solution in original post

hslai · ‎11-02-2018

1) If I'm interested in central logging to my MnT, can these remote syslog targets be unapplied to all logging categories? I would like the only remote syslog targets to by my custom external syslog servers.

No, such is not tested or supported. ISE deployments expect most the default categories sending events to MnT.

2) ... Are these duplicate records being sent by these different personas to the external syslog server? Is there any way to force all syslog traffic to be centralized at MnT and then sent to external syslog servers?

No, they are not duplicate events, but events generated by the individual ISE nodes and they are sent to any logging targets configured for the event categories. Although the events go to MnT due to the default logging targets, at present MnT does not forward the events it receives to an external syslog server and ISE has no setting to force such.

Nadav · ‎11-02-2018

Thanks for the quick reply,

Can I unattach either the secure syslogs or the UDP syslogs for each logging category? For example make all syslog communication in the cluster either UDP, or Secure TCP, but not both? Having ports UDP 20514 and TCP 6514 open between all nodes seems somewhat redundant unless it's a design constraint.

hslai · ‎11-02-2018

You are correct on that only one of them needed. The default SecureSyslogCollector should either be disabled or configured with a proper CA certificate or it could cause CSCvk32508.

Nadav · ‎11-04-2018

Hello,

I've tried using only TCP syslog targets towards the MnT nodes (port TCP 1464) and nothing showed up in the Livelog for Tacacs+. In fact, wireshark shows that logs from port 1464 aren't sent from the PSN to the MnT at all. I've been able to use only UDP and SecureTCP, but not TCP.

This is contrary to the documentation because the following link shows that the PSN can send syslogs to the MnT server in UDP_20514, TCP_1468, and TCP_6514:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

Any ideas why this could be? I'm running ISE 2.4 Patch 4.