cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3302
Views
4
Helpful
5
Replies

Domain logon events forwarding to Windows Event Subscription Service with ISE/ISE-PIC

slevesqu
Cisco Employee
Cisco Employee

Hi team,


I am looking for a way to take advantage of the Windows Event Subscription Service as a source of Passive Identity for ISE/ISE-PIC. This service can be used to centralize domain logon events from all the domain controllers and could be used instead of configuring specific DCs in ISE-PIC for WMI or with the AD Agents. So 2 methods could be used:

-          Syslogging out from the server that has this Subscription service to ISE/ISE-PIC using the Syslog Provider

-          Perform a REST API call from the server to ISE for these logs using the REST API provider

Looking for guidance from you on if this has been done before and if we have a recipe to accomplish the Syslog Provider or REST API option?


Thanks

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

If you do not want to you the specific-built AD provider, syslog will be your only other option.  Please keep in mind, this isn't something out QA team has tested but doesn't mean it isn't possible.  You will most likely need to create custom syslog headers and templates for this to work.  The REST API is used VDI environments so unfortunately is not an option. I do have an example of how to create custom templates in this community if you are interested.

Regards,

-Tim

View solution in original post

5 Replies 5

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

If you do not want to you the specific-built AD provider, syslog will be your only other option.  Please keep in mind, this isn't something out QA team has tested but doesn't mean it isn't possible.  You will most likely need to create custom syslog headers and templates for this to work.  The REST API is used VDI environments so unfortunately is not an option. I do have an example of how to create custom templates in this community if you are interested.

Regards,

-Tim

Tim,

Question on this.  I believe the format of the forwarded logs is the same as the log format on the DCs themselves.  The logs reside in a Forwarded Events log vs. Security Logs in the Event Viewer.  Why can't the DC Agent be coded to allow you to select the Forwarded Events log?

Putting the DC agent on a pair of event collection servers looking at the Forwarded Events log vs. doing WMI calls to the DCs or installing DC agents on all the DCs seems like a much better option. 

In theory, this should be possible to do which would allow for greater scale of domain controllers beyond the 100 limit that exists today.  The reason it currently isn't supported is because we didn't QA that use case prior to the release of ISE / PIC 2.2.  I'll forward your feedback to the PM team. Thanks!

Regards,

-Tim

Yeah the user story for doing this would be highly appealing I think. In my discussions with customers, the permissions needed for WMI polling of the DCs or installing an agent on their DCs are not appealing options. Installing an agent on a member server acting as a log collector is an easy sell.

Thanks for the quick response Tim.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Did you ever come up with an acceptable solution for this?  I'm facing the same exact issue.  In my case, the client has over 80 DCs (site servers), so it's not even possible for me to set all these AD connectors in ISE.  I started down the road of attempting to setup a logging server and either forwarding events to it or subscribing to all the DCs, but it looks like I can't specify the security log as a destination and I can't see a way to configure the connector to look at another log.

 

Thanks

 

Greg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: