Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2876
Views
5
Helpful
5
Replies

Change Configuration Audit report in Cisco ISE

Go to solution
patelmehul.t
Level 1
Level 1

‎10-07-2019 03:46 PM

I am looking for Configuration change report in ISE. When I execute report it is full with below two events

 

'Shutdown secure connection with TLS peer'

'Open secure connection with TLS peer'

 

So even single day report is of 300Mb with lots of unwanted events. is there any way to edit this report to log only configuration changes.

 

I am using ISE on 2.4.0.357 Patch 5

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to patelmehul.t

‎10-07-2019 05:33 PM

I just looked at the message catalog and those TLS messages are part of the "Administrative and Operational Audit" category at the INFO level.  That is why they are showing up in the report.  There really isn't much you can do other than try the "Advanced Filter" on the report and filter out those message types.  Then save it in "My Reports".  

View solution in original post

5 Replies 5

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-07-2019 04:16 PM

What report are you looking at in ISE?

The configuration changes report is under Operations->Reports->Reports->Audit->Change Configuration Audit.  That shows any changes made to the system by administrators or even the system itself such as posture updates or profiler feed updates.  Once you have the report open, you can use the quick filters to filter in on what you want.  If it is still too much to go through, you can export the report to CSV and use Excel to massage it to your liking.

0 Helpful

Go to solution
patelmehul.t
Level 1
Level 1
In response to Colby LeMaire

‎10-07-2019 04:41 PM

Thanks for the reply, Yes I am looking for the configuration changes in ISE by administrator or system itself. I exported this port for 1 days and I can see around 1048575 entry in that cvs and out of those only 1 was for configuration change and remaining entry are related to connection with TLS peer. please find below table,

Row LabelsCount of 'LOGGED AT'Grand Total1048575

'Changed configuration'1
'Open secure connection with TLS peer'526108
'Shutdown secure connection with TLS peer'522466

 

so question is why are we getting connection with TLS peer logs in configuration change audit? is there any way to suppress this event. as when I try to export this report for last 7 days it is taking forever.  Hence trying to find out if any way to modify report or create custom report to have only configuration changes for the change management compliance audit.

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to patelmehul.t

‎10-07-2019 05:33 PM

I just looked at the message catalog and those TLS messages are part of the "Administrative and Operational Audit" category at the INFO level.  That is why they are showing up in the report.  There really isn't much you can do other than try the "Advanced Filter" on the report and filter out those message types.  Then save it in "My Reports".  

Go to solution
patelmehul.t
Level 1
Level 1
In response to Colby LeMaire

‎10-10-2019 10:37 AM

Yes I checked but is there any way to suppress that log or separate that to some different logs. I really don't see any login to have TLS logs in configuration audit logs. Configuration audit should show only confrontational changes. and for your information in advance filter you can not set based on "Even ID" it is based on Admin, PSN node, Object type and Object Node." so even advance filter is not helpful.
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to patelmehul.t

‎10-10-2019 12:53 PM

This would have to be submitted as a bug or enhancement request.  I do agree with you that the report should only include actual configuration changes and not connection events.  Open a TAC case and have them file a bug.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents