cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1891
Views
4
Helpful
5
Replies
Highlighted
Cisco Employee

Domain logon events forwarding to Windows Event Subscription Service with ISE/ISE-PIC

Hi team,


I am looking for a way to take advantage of the Windows Event Subscription Service as a source of Passive Identity for ISE/ISE-PIC. This service can be used to centralize domain logon events from all the domain controllers and could be used instead of configuring specific DCs in ISE-PIC for WMI or with the AD Agents. So 2 methods could be used:

-          Syslogging out from the server that has this Subscription service to ISE/ISE-PIC using the Syslog Provider

-          Perform a REST API call from the server to ISE for these logs using the REST API provider

Looking for guidance from you on if this has been done before and if we have a recipe to accomplish the Syslog Provider or REST API option?


Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Domain logon events forwarding to Windows Event Subscription Service with ISE/ISE-PIC

Hi,

If you do not want to you the specific-built AD provider, syslog will be your only other option.  Please keep in mind, this isn't something out QA team has tested but doesn't mean it isn't possible.  You will most likely need to create custom syslog headers and templates for this to work.  The REST API is used VDI environments so unfortunately is not an option. I do have an example of how to create custom templates in this community if you are interested.

Regards,

-Tim

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Re: Domain logon events forwarding to Windows Event Subscription Service with ISE/ISE-PIC

Hi,

If you do not want to you the specific-built AD provider, syslog will be your only other option.  Please keep in mind, this isn't something out QA team has tested but doesn't mean it isn't possible.  You will most likely need to create custom syslog headers and templates for this to work.  The REST API is used VDI environments so unfortunately is not an option. I do have an example of how to create custom templates in this community if you are interested.

Regards,

-Tim

View solution in original post

Highlighted
VIP Advocate

Re: Domain logon events forwarding to Windows Event Subscription Service with ISE/ISE-PIC

Tim,

Question on this.  I believe the format of the forwarded logs is the same as the log format on the DCs themselves.  The logs reside in a Forwarded Events log vs. Security Logs in the Event Viewer.  Why can't the DC Agent be coded to allow you to select the Forwarded Events log?

Putting the DC agent on a pair of event collection servers looking at the Forwarded Events log vs. doing WMI calls to the DCs or installing DC agents on all the DCs seems like a much better option. 

Highlighted
Cisco Employee

Re: Domain logon events forwarding to Windows Event Subscription Service with ISE/ISE-PIC

In theory, this should be possible to do which would allow for greater scale of domain controllers beyond the 100 limit that exists today.  The reason it currently isn't supported is because we didn't QA that use case prior to the release of ISE / PIC 2.2.  I'll forward your feedback to the PM team. Thanks!

Regards,

-Tim

Highlighted
VIP Advocate

Re: Domain logon events forwarding to Windows Event Subscription Service with ISE/ISE-PIC

Yeah the user story for doing this would be highly appealing I think. In my discussions with customers, the permissions needed for WMI polling of the DCs or installing an agent on their DCs are not appealing options. Installing an agent on a member server acting as a log collector is an easy sell.

Thanks for the quick response Tim.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Highlighted
Beginner

Re: Domain logon events forwarding to Windows Event Subscription Service with ISE/ISE-PIC

Did you ever come up with an acceptable solution for this?  I'm facing the same exact issue.  In my case, the client has over 80 DCs (site servers), so it's not even possible for me to set all these AD connectors in ISE.  I started down the road of attempting to setup a logging server and either forwarding events to it or subscribing to all the DCs, but it looks like I can't specify the security log as a destination and I can't see a way to configure the connector to look at another log.

 

Thanks

 

Greg