Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1849
Views
0
Helpful
1
Replies

Forwarding ISE Authentication Logging to Splunk

fdharmawan
Level 4
Level 4

‎06-24-2020 08:42 PM

Hi Guys,

I want to forward Cisco ISE authentication logging to Splunk. The goal is to capture the authentication success from endpoints to ISE.

So far I already configured the Splunk IP and port on Remote Logging Targets and added it on AAA Audit's Targets column. There are logs that forwarded to ISE, but only contains purging messages. Not the authentication messages like I wanted. Below is the example of the log.

<182>Jun 25 05:40:27 ISE_Hostname CISE_MONITORING_DATA_PURGE_AUDIT 2020-06-25 04:52:10.062 +0700 60198 INFO null: MnT purge event occurred, MESSAGE=purging Tacacs data older than 26-MAY-20,

Is there anyway to forward the AAA logs to Splunk? I am using ISE version 2.3.0.298. Thank you.

0 Helpful
1 Reply 1

Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-25-2020 05:41 AM

Make sure you update the logging categories in ISE to add the new target (splunk). This should assist you in your journey: http://www.network-node.com/blog/2017/7/2/integrating-ise-with-splunk
HTH!
0 Helpful
Customers Also Viewed These Support Documents