cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

200
Views
15
Helpful
5
Replies
Highlighted
Beginner

Cisoc ISE 2.7 P2 - ISE Alarms to Syslog

Hi All,

 

I know this has been picked up several times before but I am still having issue with passing syslog messages from ISE Alarm list.

 

We have gone about updating all Alarms based on their use and criticality to be checked for "Send Syslog Message"

 

We have added Remote Logging Targets of our internal Syslog servers, and I have checked the box for them "include Alarms for this target"

 

If I monitor what is flowing in syslog I see nothing, I did enable chatty alarms which would produce syslog if I was to make a ISE config change, but still nothing.

If I was to add this same server under one of the Logging Categories as a target I get through all the syslog messages which are not meant to be received.

 

My understanding is that this last step is not require if I want only to receive Alarms generated on ISE.

 

Please advise.

5 REPLIES 5
VIP Mentor

First check do you see any ISE alarm generated ? Locally before you ship to syslog server.

 

I do not see any issue shipping logs to syslog using ISE 2.4

 

this thread help you : ( you can get the concept and deploy same)

 

https://community.cisco.com/t5/network-access-control/ise-1-3-and-sending-alarms-as-syslog-messages/m-p/3456202

BB
*** Rate All Helpful Responses ***
Highlighted

Thanks balaji.bandi

 

That was the article I did stumble across when I was doing my research and according to the advice there my setup appears to be correct. I do see Alarms in Cisco Dashboard been generated and incrementing and time for last occurrence also showing up in line with alarms, just that Syslog is not seeing them.

 

Will give a minute and if not, will try to get TCP dump to see if messages are leaving server to the destination specified.

Highlighted
VIP Mentor

I know you mentioned syslog server able to get other syslog, so there no connectivity issue i see here, other option tcpdump to get clear pciture where the packets dropped.

BB
*** Rate All Helpful Responses ***
Highlighted

I ran some test in my lab ISE setup, created syslog service on Ubuntu box and enabled it as Remote Logging Target for UDP, was able to capture syslog messages coming through and was able to do TCP Dump on ISE to confirm the same.

 

In prod everything is configured in same manner, except that we also have same syslog server using UDP and same server TCP, messages are not going through, TCP Dump on ISE did not show anything of interest apart from SYN and TCP Retransmissions messages, no plain Syslog.

 

Will run some tests tomorrow by capturing closer to prod syslog server.

Highlighted
Beginner

I ended up removing all our configured Remote Logging Targets and added the UDP syslog server and I am seeing logs flowing in now, I have not gone about adding any TCP syslog server back, but my gut feel here is that there was some sort of internal crash encountered due to TCP destination not listening on the port specified which did end up grinding everything to halt.

 

Having that as prod environment, I am not looking to carry out any further tests.