Solved: Is it still relevant to send switch syslogs to ISE 2.x/3.x?

Arne Bier · ‎08-30-2022

Hello,

Anyone know exactly what the benefit was of configuring a Cisco switch to send the switch SYSLOGs to ISE?

I see it mentioned in older documentation and blogs:

What did ISE do with those SYSLOGs? Does this add any information to the LiveLogs, or Endpoint debugs etc.?

Is there any benefit in sending SYSLOGs to ISE 2.x/3.x ?

regards

Arne

Greg Gibbs · ‎09-01-2022

Sending switch syslog to ISE was only ever to aid in troubleshooting. I think the consumed syslog data would supplement some of the reports or troubleshooting tools, but I never really found it useful. The only real detail I can find is in the old 2.1 'TrustSec How-To Guide' that I still have saved.

Syslog may be generated on Cisco IOS® Software in many events. Some of the syslog messages can be sent to Cisco ISE to be used for troubleshooting.
...

Set up standard logging functions on the switch to support possible troubleshooting / recording for Cisco ISE functions. The Enforcement Policy Module (EPM) is a part of the Cisco IOS Software responsible for features such as web authentication and downloadable ACL.
Enabling EPM logging generates a syslog related to downloadable ACL authorization, and part of the log can be correlated inside Cisco ISE when such logs are sent to Cisco ISE.
...
Only the following NAD syslog messages are actually collected and used by Cisco ISE:
- AP-6-AUTH_PROXY_AUDIT_START
- AP-6-AUTH_PROXY_AUDIT_STOP
- AP-1-AUTH_PROXY_DOS_ATTACK
- AP-1-AUTH_PROXY_RETRIES_EXCEEDED
- AP-1-AUTH_PROXY_FALLBACK_REQ
- AP-1-AUTH_PROXY_AAA_DOWN
- AUTHMGR-5-MACMOVE
- AUTHMGR-5-MACREPLACE
- MKA-5-SESSION_START
- MKA-5-SESSION_STOP
- MKA-5-SESSION_REAUTH
- MKA-5-SESSION_UNSECURED
- MKA-5-SESSION_SECURED
- MKA-5-KEEPALIVE_TIMEOUT
- DOT1X-5-SUCCESS / FAIL
- MAB-5-SUCCESS / FAIL
- AUTHMGR-5-START / SUCCESS / FAIL
- AUTHMGR-SP-5-VLANASSIGN / VLANASSIGNERR
- EPM-6-POLICY_REQ
- EPM-6-POLICY_APP_SUCCESS / FAILURE
- EPM-6-IPEVENT:
- DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND
- RADIUS-4-RADIUS_DEAD

View solution in original post

Marcelo Morais · ‎09-01-2022

Hi @Arne Bier ,

I understand that your question is related to "benefits", but I would like to add that:

" ... As a best practice, do NOT configure Network Devices to send Syslogs to a Cisco ISE Monitoring and Troubleshooting (MnT) Node as this could result in the loss of some Network Access Device (NAD) Syslogs, and overloads the MnT Servers resulting in loading issues... " (please take a look at ISE Administration Guide).

Hope this helps !!!

View solution in original post

Greg Gibbs · ‎09-01-2022

Sending switch syslog to ISE was only ever to aid in troubleshooting. I think the consumed syslog data would supplement some of the reports or troubleshooting tools, but I never really found it useful. The only real detail I can find is in the old 2.1 'TrustSec How-To Guide' that I still have saved.

Syslog may be generated on Cisco IOS® Software in many events. Some of the syslog messages can be sent to Cisco ISE to be used for troubleshooting.
...

Set up standard logging functions on the switch to support possible troubleshooting / recording for Cisco ISE functions. The Enforcement Policy Module (EPM) is a part of the Cisco IOS Software responsible for features such as web authentication and downloadable ACL.
Enabling EPM logging generates a syslog related to downloadable ACL authorization, and part of the log can be correlated inside Cisco ISE when such logs are sent to Cisco ISE.
...
Only the following NAD syslog messages are actually collected and used by Cisco ISE:
- AP-6-AUTH_PROXY_AUDIT_START
- AP-6-AUTH_PROXY_AUDIT_STOP
- AP-1-AUTH_PROXY_DOS_ATTACK
- AP-1-AUTH_PROXY_RETRIES_EXCEEDED
- AP-1-AUTH_PROXY_FALLBACK_REQ
- AP-1-AUTH_PROXY_AAA_DOWN
- AUTHMGR-5-MACMOVE
- AUTHMGR-5-MACREPLACE
- MKA-5-SESSION_START
- MKA-5-SESSION_STOP
- MKA-5-SESSION_REAUTH
- MKA-5-SESSION_UNSECURED
- MKA-5-SESSION_SECURED
- MKA-5-KEEPALIVE_TIMEOUT
- DOT1X-5-SUCCESS / FAIL
- MAB-5-SUCCESS / FAIL
- AUTHMGR-5-START / SUCCESS / FAIL
- AUTHMGR-SP-5-VLANASSIGN / VLANASSIGNERR
- EPM-6-POLICY_REQ
- EPM-6-POLICY_APP_SUCCESS / FAILURE
- EPM-6-IPEVENT:
- DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND
- RADIUS-4-RADIUS_DEAD

Marcelo Morais · ‎09-01-2022

Hi @Arne Bier ,

I understand that your question is related to "benefits", but I would like to add that:

" ... As a best practice, do NOT configure Network Devices to send Syslogs to a Cisco ISE Monitoring and Troubleshooting (MnT) Node as this could result in the loss of some Network Access Device (NAD) Syslogs, and overloads the MnT Servers resulting in loading issues... " (please take a look at ISE Administration Guide).

Hope this helps !!!

Arne Bier · ‎09-01-2022

thanks @Marcelo Morais - when they use words like "could result" then I am still none the wiser.

and if you read further below, the guide contradicts itself

If the Monitoring node is configured as the syslog server for a network device, ensure that the logging source sends the correct network access server (NAS) IP address in the following format:

<message_number>sequence_number: NAS_IP_address: timestamp: syslog_type: <message_text>

Otherwise, this might impact functionalities that depend on the NAS IP address.

It's probably safe to say that nobody should do this because it's a legacy feature and the world was a different place when ISE 1.x was around.

Arne Bier · ‎09-01-2022

thanks @Greg Gibbs - those events look quite useful to be honest. But if they are buried somewhere in text file logs (and not enhancing the Web UI user experience) then it's probably not worth bothering with.