Hello
It should work.
what version of ISE?
I am using ISE 2.7 patch 6 and my syslog server is Ubuntu 20.04 LTS running the default rsyslog daemon.
In ISE I added my Ubuntu server as LOCAL6 facility and UDP/514
In the Logging Categories I added this remote logging target for "Administrative and Operational Audit" to log every time I log into the ISE Admin GUI.
Dec 16 08:46:10 nac1 CISE_Administrative_and_Operational_Audit 0000000224 1 0 2021-12-16 08:46:10.039 +10:00 0000902175 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=187, AdminInterface=GUI, AdminIPAddress=10.2.13.10, AdminSession=AdminGUI_Session, AdminName=abier, OperationMessageText=User logged out,
Dec 16 08:46:21 nac1 CISE_Administrative_and_Operational_Audit 0000000225 1 0 2021-12-16 08:46:21.198 +10:00 0000902190 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=187, AdminInterface=GUI, AdminIPAddress=10.2.13.10, AdminSession=AdminGUI_Session, AdminName=abier, OperationMessageText=Administrator authentication successful,
My /etc/rsyslog.conf had a few tweaks to allow UDP/514 and also to log local6.notice
All operations run as root user:
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# Rules
local6.notice /var/log/isesyslog.log
I made a local file to log the results for this test
touch /var/local/isesyslog.log
chown syslog:adm /var/local/isesyslog.log
Then restart the daemon
systemctl restart rsyslog
and tail the results
tail -f /var/log/isesyslog.log