Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
4
Replies

Cisco ISE Syslog Message Type

Netmart
Level 3
Level 3

‎03-27-2025 12:50 PM

Hello, 

Currently, TACACAS Accounting  [Log Sec Level INFO] is set up and splunk is selected as target syslog server.

 

Are there tags like "CISE_TACACS_Authentication" and "CISE_TACACS_Authorization" available.

 

Please advise.

 

Thanks.

Labels:
0 Helpful
4 Replies 4

Netmart
Level 3
Level 3

‎03-28-2025 11:48 AM

Ok, I guess it seems I am the only one with the desire to log authentication, authorization, and accounting requests in Cisco ISE.

My question was whether it is possible to filter accounting, authentication, and authorization separately in syslogs. And what is needed to set up in Cisco ISE?

Thanks.

0 Helpful

Arne Bier
VIP
VIP

‎03-28-2025 02:36 PM

First of all which ISE Logging Categories have you selected and sending to your Splunk? In experience, I had to select two different Categories to get what I was looking for in the SYSLOGS. Failed and Passed as shown below not only sends TACACS auth events, but also the RADIUS events. This can be an issue because ISE doesn't have an option to distinguish and pre-filter them. The SYSLOG receiver will need a pre-filter rule to discard a lot of unwanted noise.

ArneBier_0-1743197356492.png

The other categories under AAA Diagnostics such as "Administration Authentication and Authorization" contain only TACACS AuthN and AuthZ events.And then finally, the "Accounting" category "TACACS Accounting" contains the TACACS Accounting.

Your question about filtering this in ISE: you can't filter anything - the best we can do is to select the absolute minimum number of categories in ISE to prevent sending stuff that the SIEM doesn't need. The filtering and processing is done on the receiving end.

0 Helpful

Netmart
Level 3
Level 3

‎03-28-2025 08:12 PM - edited ‎03-28-2025 08:12 PM

Thank you Arne.

For now, TACACS Accounting is selected.

Netmart_0-1743216731769.png

And to assess the volume of requests, I've been asked to create separate report for each component: authentication, authorization, and accounting for a week.

Since there is the option to filter Type Accounting and Authentication, I was expecting to be able to apply the same filter in splunk.

However, so far I 've been only able  to see Type Accounting, nothing for Authentication, though events for Authentication are seen under Live Logs.

 

 

Netmart_2-1743217665247.png

I am able to filter for Type Accounting, but not activities seen for Authentication. Therefore, I was wondering whether the Type Authentication has to be enabled in Cisco ISE / Logging / Logging Categories.

 

 

0 Helpful

Netmart
Level 3
Level 3
In response to Netmart

‎03-28-2025 08:21 PM

Just found this link, describing the problem I am experiencing; so it sounds that  I am not the only one:

 

https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-ISE-Authentications-are-not-showing-in-Splunk/m-p/136714

..unfortunately no solution is seen in this blog...

0 Helpful
Customers Also Viewed These Support Documents