cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2478
Views
15
Helpful
5
Replies

Cisoc ISE 2.7 P2 - ISE Alarms to Syslog

AigarsK
Level 1
Level 1

Hi All,

 

I know this has been picked up several times before but I am still having issue with passing syslog messages from ISE Alarm list.

 

We have gone about updating all Alarms based on their use and criticality to be checked for "Send Syslog Message"

 

We have added Remote Logging Targets of our internal Syslog servers, and I have checked the box for them "include Alarms for this target"

 

If I monitor what is flowing in syslog I see nothing, I did enable chatty alarms which would produce syslog if I was to make a ISE config change, but still nothing.

If I was to add this same server under one of the Logging Categories as a target I get through all the syslog messages which are not meant to be received.

 

My understanding is that this last step is not require if I want only to receive Alarms generated on ISE.

 

Please advise.

1 Accepted Solution

Accepted Solutions

AigarsK
Level 1
Level 1

I ended up removing all our configured Remote Logging Targets and added the UDP syslog server and I am seeing logs flowing in now, I have not gone about adding any TCP syslog server back, but my gut feel here is that there was some sort of internal crash encountered due to TCP destination not listening on the port specified which did end up grinding everything to halt.

 

Having that as prod environment, I am not looking to carry out any further tests.

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

First check do you see any ISE alarm generated ? Locally before you ship to syslog server.

 

I do not see any issue shipping logs to syslog using ISE 2.4

 

this thread help you : ( you can get the concept and deploy same)

 

https://community.cisco.com/t5/network-access-control/ise-1-3-and-sending-alarms-as-syslog-messages/m-p/3456202

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks balaji.bandi

 

That was the article I did stumble across when I was doing my research and according to the advice there my setup appears to be correct. I do see Alarms in Cisco Dashboard been generated and incrementing and time for last occurrence also showing up in line with alarms, just that Syslog is not seeing them.

 

Will give a minute and if not, will try to get TCP dump to see if messages are leaving server to the destination specified.

balaji.bandi
Hall of Fame
Hall of Fame

I know you mentioned syslog server able to get other syslog, so there no connectivity issue i see here, other option tcpdump to get clear pciture where the packets dropped.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I ran some test in my lab ISE setup, created syslog service on Ubuntu box and enabled it as Remote Logging Target for UDP, was able to capture syslog messages coming through and was able to do TCP Dump on ISE to confirm the same.

 

In prod everything is configured in same manner, except that we also have same syslog server using UDP and same server TCP, messages are not going through, TCP Dump on ISE did not show anything of interest apart from SYN and TCP Retransmissions messages, no plain Syslog.

 

Will run some tests tomorrow by capturing closer to prod syslog server.

AigarsK
Level 1
Level 1

I ended up removing all our configured Remote Logging Targets and added the UDP syslog server and I am seeing logs flowing in now, I have not gone about adding any TCP syslog server back, but my gut feel here is that there was some sort of internal crash encountered due to TCP destination not listening on the port specified which did end up grinding everything to halt.

 

Having that as prod environment, I am not looking to carry out any further tests.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: