Don't see option to send 'NOTICE' level events to External Syslog

PradeepSingh · ‎10-21-2021

Hi,

We are not getting 'NOTICE' severity level events in External Syslog server from Cisco ISE. We understand it should be able if we select 'INFO' level while defining the targets since there is no option to select 'NOTICE'. Since we see some logs from ISE, we are sure syslog traffic is not blocked in the path.

Thanks in advance.

Arne Bier · ‎12-15-2021

Hello

It should work.

what version of ISE?

I am using ISE 2.7 patch 6 and my syslog server is Ubuntu 20.04 LTS running the default rsyslog daemon.

In ISE I added my Ubuntu server as LOCAL6 facility and UDP/514

In the Logging Categories I added this remote logging target for "Administrative and Operational Audit" to log every time I log into the ISE Admin GUI.

Dec 16 08:46:10 nac1 CISE_Administrative_and_Operational_Audit 0000000224 1 0 2021-12-16 08:46:10.039 +10:00 0000902175 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=187, AdminInterface=GUI, AdminIPAddress=10.2.13.10, AdminSession=AdminGUI_Session, AdminName=abier, OperationMessageText=User logged out,
Dec 16 08:46:21 nac1 CISE_Administrative_and_Operational_Audit 0000000225 1 0 2021-12-16 08:46:21.198 +10:00 0000902190 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=187, AdminInterface=GUI, AdminIPAddress=10.2.13.10, AdminSession=AdminGUI_Session, AdminName=abier, OperationMessageText=Administrator authentication successful,

My /etc/rsyslog.conf had a few tweaks to allow UDP/514 and also to log local6.notice

All operations run as root user:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")


# Rules
local6.notice   /var/log/isesyslog.log

I made a local file to log the results for this test

touch /var/local/isesyslog.log
chown syslog:adm /var/local/isesyslog.log

Then restart the daemon

systemctl restart rsyslog

and tail the results

tail -f /var/log/isesyslog.log