cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

247
Views
0
Helpful
1
Replies
Highlighted
Participant

Forwarding ISE Authentication Logging to Splunk

Hi Guys,

I want to forward Cisco ISE authentication logging to Splunk. The goal is to capture the authentication success from endpoints to ISE.

So far I already configured the Splunk IP and port on Remote Logging Targets and added it on AAA Audit's Targets column. There are logs that forwarded to ISE, but only contains purging messages. Not the authentication messages like I wanted. Below is the example of the log.

<182>Jun 25 05:40:27 ISE_Hostname CISE_MONITORING_DATA_PURGE_AUDIT 2020-06-25 04:52:10.062 +0700 60198 INFO null: MnT purge event occurred, MESSAGE=purging Tacacs data older than 26-MAY-20,

Is there anyway to forward the AAA logs to Splunk? I am using ISE version 2.3.0.298. Thank you.

1 REPLY 1
Highlighted
VIP Collaborator

Re: Forwarding ISE Authentication Logging to Splunk

Make sure you update the logging categories in ISE to add the new target (splunk). This should assist you in your journey: http://www.network-node.com/blog/2017/7/2/integrating-ise-with-splunk
HTH!