How to work with ISE log files

Mr. Bash · ‎03-06-2024

Hi all!

I am looking for some guidance on the best way to offload local logs from ISE to an SFTP location. For instance, I can see the localstore log via the command below.

ISE_PAN/admin# show logging application | inc localStore
5177204 Mar 06 2024 20:36:33 localStore/iseLocalStore.log

How do I reference that log file if I want to export it to an SFTP server? I know you can export the logs via the GUI but I'm looking for a quick way to get direct access to the log file so that it can be parsed/processed/analyzed. I'm looking for different ways to get alerted to suspicious activity such as someone logging into the environment using the local admin account often or many unsuccessful ssh/https login attempts etc. I know in some cases I'll be working with the alarms that are built into the administrative area of the GUI, but I also just wanted to be more familiar with how to work with the log files themselves.

Thanks for any advice!

Pulkit Mittal · ‎03-06-2024

This is where the SIEM will come handy, set up the SIEM as the remote logging target.

In Cisco ISE, choose Administration > System > Logging > Remote Logging Targets and Add Target. And then you can select the categorises that you need.

AAA Audit
Failed Attempts
Passed Authentications
AAA Diagnostics
Accounting
RADIUS Accounting
Administrative and Operational Audit
Posture and Client Provisioning Audit
Posture and Client Provisioning Diagnostics
MDM
Profiler
System Diagnostics
System Statistics

If you find this solution useful, please mark it helpful & accept the solution.