Re: Cisco ISE - Remote target logging SIEM

iran · ‎11-12-2023

Hi,

I need to integrate ISE to send logs to SIEM.
I have a distributed large deployment, one VM for each ISE persona.

My doubt is the following:
1. Which IP address should I configure on SIEM? Only MnT nodes? or all Cisco ISE nodes?

2. Which ISE node will send logs to SIEM?

Greg Gibbs · ‎11-12-2023

When configured with a remote logging target, all ISE nodes will directly send syslog to the external target. The PSNs will send endpoint session-related logs directly to the target and all nodes will send health-related logs directly to the target.

iran · ‎11-13-2023

Hello, Thank you.

I am still with doubts about which IP addresses should I add on SIEM server configuration and allow firewall rules.

My initial understanding was that there is only need to add MnT IP addresses on SIEM configuration. Please, let me know if this is not correct.

Since all the logs are sent to MnT, I am assuming that MnT has the needed information to send to the SIEM

Aref Alsouqi · ‎11-13-2023

That is the case unless you configure an external logging target. When you configure the external logging target all ISE nodes that would have generated and sent the logs to the MnT will start sending their logs to the external logging target.

adamscottmaster2013 · ‎11-13-2023

I use splunk as remoting logging target and configure all ISE nodes to communicate with splunk SIEM.

Greg Gibbs · ‎11-13-2023

@iran ... to be very clear, the MnT nodes DO NOT 'roll-up' logs sent from the other nodes and send them to the external syslog/SIEM server. As I stated before, all nodes will source their relevant syslog messages directly to the external target.