Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
15
Helpful
2
Replies

Cisco ISE logs

Go to solution
Grizzelz
Level 1
Level 1

‎08-24-2022 02:52 AM

What I would like to have confirmation from Cisco is that we are saving same data to the MNTs and to our Syslog Servers, so we can safely purge that data without compromising our audit commitments.

Wherever we have both MNTs and SysLog Servers configured, is there any difference between the logs MNTs and the logs that are sent to Syslog? Are exactly the same ones?  (e.g. the Accounting logs send to LogCollector and to SLG1 contain exactly the same info with no variation?)

Any Cisco ISE Guru that can help with this.

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎08-25-2022 06:26 PM

You could take a sample endpoint and check on your SYSLOG server whether or not you can find that same Accounting record (for example).  It always depends on what Logging Categories you have enabled when sending those to external SYSLOG receivers. e.g. the Category called "RADIUS Accounting" is one that should have the external SYSLOG as Target.  If you can't get access to the external SYSLOG server then simply run a tcpdump on the MnT server(s) to capture the outgoing SYSLOG requests - wireshark does a pretty good job at decoding them.  I think internally, ISE uses SYSLOG between PSN and MnT to build up the Live Logs. So in principle the SYSLOGs the get forwarded to external receivers should contain the same data.

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎08-25-2022 06:26 PM

You could take a sample endpoint and check on your SYSLOG server whether or not you can find that same Accounting record (for example).  It always depends on what Logging Categories you have enabled when sending those to external SYSLOG receivers. e.g. the Category called "RADIUS Accounting" is one that should have the external SYSLOG as Target.  If you can't get access to the external SYSLOG server then simply run a tcpdump on the MnT server(s) to capture the outgoing SYSLOG requests - wireshark does a pretty good job at decoding them.  I think internally, ISE uses SYSLOG between PSN and MnT to build up the Live Logs. So in principle the SYSLOGs the get forwarded to external receivers should contain the same data.

Go to solution
Marcelo Morais
VIP
VIP

‎08-26-2022 11:03 PM

Hi @Grizzelz ,

 please take a look at Administration > System > Logging > Logging Categories, check the Targets column and check what you are sending to the LogCollector (MnT) and to your Syslog.

Hope this helps !!!

0 Helpful
Customers Also Viewed These Support Documents