Is there a way to troubleshoot or validate that Cisco ISE is sending syslogs to a "Remote Logging Target"? I'm trying to set this up with QRadar however its showing that its not receieving any logs from ISE. I've confirmed that IBM has ISE packages to support it but I'm concerned because it says it supports versions 1.1 to 2.2 (seems very dated). Im running 3.1P3 at the moment. I've setup the logging categories to include the new target but still no luck. There is no firewalls between ISE and QRadar.
Yes. It turns out the team that manages QRadar had an error in their setup, and they resolved it. I would hope that the TCPDUMP would cover the UDP traffic to at least prove that I am sending the logs.
I'm thinking something is up with QRadar not showing the "Notice" syslogs. I have my logging categories setup correctly but I'm looking to see the authentication/authorization logs from every attempt. The goal is to have it so I can trigger an alert if a device is Anomalous or if it hits an Authorization Policy I set for quarantine. I saw in the documentation with QRadar they support versions 1.1 to 2.2 which I find it pretty dated. Maybe they don't accept all syslogs from ISE since I'm running 3.1P3.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
