Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1084
Views
5
Helpful
1
Replies

Don't see option to send 'NOTICE' level events to External Syslog

PradeepSingh
Level 1
Level 1

‎10-21-2021 05:34 AM

Hi,

 

We are not getting 'NOTICE' severity level events in External Syslog server from Cisco ISE. We understand it should be able if we select 'INFO' level while defining the targets since there is no option to select 'NOTICE'. Since we see some logs from ISE, we are sure syslog traffic is not blocked in the path.

 

Thanks in advance.

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎12-15-2021 02:51 PM

Hello

 

It should work.

 

what version of ISE?

 

I am using ISE 2.7 patch 6 and my syslog server is Ubuntu 20.04 LTS running the default rsyslog daemon.

In ISE I added my Ubuntu server as LOCAL6 facility and UDP/514

In the Logging Categories I added this remote logging target for "Administrative and Operational Audit" to log every time I log into the ISE Admin GUI.

 

Dec 16 08:46:10 nac1 CISE_Administrative_and_Operational_Audit 0000000224 1 0 2021-12-16 08:46:10.039 +10:00 0000902175 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=187, AdminInterface=GUI, AdminIPAddress=10.2.13.10, AdminSession=AdminGUI_Session, AdminName=abier, OperationMessageText=User logged out,
Dec 16 08:46:21 nac1 CISE_Administrative_and_Operational_Audit 0000000225 1 0 2021-12-16 08:46:21.198 +10:00 0000902190 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=187, AdminInterface=GUI, AdminIPAddress=10.2.13.10, AdminSession=AdminGUI_Session, AdminName=abier, OperationMessageText=Administrator authentication successful,

My /etc/rsyslog.conf had a few tweaks to allow UDP/514 and also to log local6.notice

 

All operations run as root user:

 

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")


# Rules
local6.notice   /var/log/isesyslog.log

I made a local file to log the results for this test

touch /var/local/isesyslog.log
chown syslog:adm /var/local/isesyslog.log

 

Then restart the daemon

systemctl restart rsyslog

and tail the results

 

tail -f /var/log/isesyslog.log

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents