Extend logging for radius live logs in ISE

ryan14 · ‎07-13-2020

Is there a way to extend logging for radius logs on ISE 2.6? I have tried going to admin -> logging -> log settings and changing the default to 30 days but my live logs for radius do not appear to be using that setting. I also tried pointing ISE to my external syslog but do not see any messages being sent to it. Is there somewhere else I should be looking to set either function?

Greg Gibbs · ‎07-13-2020

The ISE appliances have a finite amount of storage to use for local logs. They operate like a ring buffer in which the older logs are deleted to make room for new logs.

You should be using an external syslog server for historical logging/reporting. See the following example for how to configure ISE to send the necessary logs to an external server:

Integrating ISE with Splunk for Reporting

Damien Miller · ‎07-13-2020

Worth asking, but are you using the advanced filters on the reports with a date range longer than 30 days? The drop down presets don't provide more than 30 days since that's the default log retention anyways.

Another aspect to this is storage, as Greg mentioned, there is a finite storage for log retention. If you don't have enough storage, then ISE will ignore the number of days set and start purging the oldest logs to keep enough disk space free. You can check this in the admin > maintenance > operational data purging menu too. If you hover over the usage bar, it will give you some additional info.
https://<ise pan ip>/admin/#administration/administration_system/administration_system_backup/data_purging

Gregs Splunk reference link will walk you through setting up the categories of syslogs you want to export.

ryan14 · ‎07-14-2020

Yeah part of it was user error on my part. I didn't realize the reports pulled data from a longer period compared to live radius logs.

The retention options you pointed out are definitely helpful. If I enable a repository, can ISE search that for reporting for something longer than the configured retention period? Or does ISE purge data stored locally + what has been sent to repository?

Also, is the logs don't show times in daylight savings? I am using the latest patch 6 on 2.6. I verified via the CLI the timezone is set correctly.

Greg Gibbs · ‎07-14-2020

A repository is just an external file storage location (FTP, TFTP, etc) on which ISE can store scheduled or manually run reports. Once ISE stores the reports in the requested format (PDF, CSV), it has no ability to parse/query or control the retention for those reports. You would need to use additional tools to parse the data in the reports and control data retention for those reports.

The amount of reportable data that the MnT node can store depends on the ISE version and disk size. See the ISE Performance & Scale page for MnT log retention estimations.

For the time issue, there have been a few bugs fixed related to time including the one below that is listed as fixed in patch 7. You might update to patch 7 to see if the issue is resolved or contact TAC if not.

CSCvt08143

ryan14 · ‎07-22-2020

‘clock timezone EST5EDT’ in config mode in ISE SSH console will update logs with daylight savings. As to why that isn't an option in the GUI is beyond me. It will reboot services, so do it after hours.