Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
1
Helpful
3
Replies

Cisco ISE kibana alert after applying 3.2 patch 7

Go to solution
b__k
Level 1
Level 1

‎01-20-2025 04:25 PM - edited ‎01-20-2025 04:26 PM

Recently we recently applied patch 7 to ISE 3.2 to mitigate the issue noted in Field Notice FN74227

Since then I'm receiving alerts about the kibana service not running.  As far as I'm aware it was disabled before applying the patch, same as on another ISE instance I'm yet to patch.  Show application status of the unpatched (patch 4) ISE instance:

 

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
ISE MNT LogAnalytics Elasticsearch     disabled                     
ISE Logstash Service                   disabled                     
ISE Kibana Service                     disabled

 

 

show application status of the patched ISE:

 

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
ISE MNT LogAnalytics Elasticsearch     running          306097      
ISE Logstash Service                   running          309335      
ISE Kibana Service                     not running

 

How do I disable these services again?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
b__k
Level 1
Level 1

‎01-22-2025 01:50 PM

I ended up getting TAC involved to fix this.  The problem was a duplicate entry in the hosts file for the host itself (!!).

After the engineer got in via a root shell and removed the duplicate line from /etc/hosts the service was able to start and the alert emails have stopped.

View solution in original post

3 Replies 3

Go to solution
b__k
Level 1
Level 1
In response to Greg Gibbs

‎01-21-2025 02:39 PM

That was showing as already disabled.  Nevertheless, I toggled it on/off, however after clicking save the UI sat there for a long time before returning a http-get error.

I also tried a stop/start of the ISE application on the secondary node but it still tried to start the ELK stack:

Starting ISE MNT LogAnalytics Elasticsearch Service...
Starting ISE Logstash Service...
Starting ISE Kibana Service...
 ise-kibana-container failed to start ...

 

0 Helpful

Go to solution
b__k
Level 1
Level 1

‎01-22-2025 01:50 PM

I ended up getting TAC involved to fix this.  The problem was a duplicate entry in the hosts file for the host itself (!!).

After the engineer got in via a root shell and removed the duplicate line from /etc/hosts the service was able to start and the alert emails have stopped.

Customers Also Viewed These Support Documents