Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7833
Views
20
Helpful
18
Replies

ISE and complete SYSLOG message list for clever event management

Go to solution
Arne Bier
VIP
VIP

‎10-25-2018 03:54 PM

Hello

 

My customer wants to monitor their ISE deployment more closely and we have recommended enabling more ISE Logging Categories, especially for issues that could cause business impact.  Recently one of their ISE appliances stopped processing Radius because of a disk full issue.  It was just one SYSLOG in a sea of millions and was not spotten in time - even if it had been spotted, the 1st line guys/gals may not understand the impact or who to inform next.  The goal is to focus on the top 45 critical ones (in my opinion) and to create some logic for their Manager of Managers. 

 

I was looking for the canonical list of ISE SYSLOG messages and came across an ancient Excel for ISE 2.0Is there anything newer than this Excel (for ISE 2.4 ?) because I have logged quite a few SYSLOG event messages that are not listed, or have no Message Code in that Excel. 

 

At the moment I am reverse engineering ISE to compile my own list of text strings that I can give to Operations Team for their SYSLOG application filtering.  The final goal is to group and classify these alarms and create some automated rules about escallation paths etc.  - it's very tedious though.  I would appreciate if anyone else has done a similar exercise - or if not, does anyone have access to their SYSLOG server and can perform a quick grep of any "CISE_Alarm CRITICAL" and send those over to me? You might be surprised about what's in there ;)

I am spending time torturing ISE to provoke all these error conditions - but I wish I didn't have to.

 

syslog.PNG

18 Replies 18

Go to solution
Nadav
Level 7
Level 7

‎12-16-2018 02:07 PM

Hey @Arne Bier,

 

Any chance a kind soul at Cisco provided you with a full list of syslogs? You'd think someone over there keeps track of these things :)

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Nadav

‎12-16-2018 02:34 PM

Hsing from Cisco replied on this thread on 2018-10-26 10:07 AM with an XML file.  But it does not contain all of the Alarm events.  It was partially helpful.  

I think the XML is the proper way to implement this function in ISE - but there are Alarms whose debug mode has been hard coded - so that probably means a lot of re-work to retrofit that into the XML. 

0 Helpful

Go to solution
cnegrete
Level 1
Level 1
In response to Arne Bier

‎10-24-2019 02:14 PM

Reviving a not so old thread (as I'm in the exact same situation as some people that have come across this), would this work for our purposes?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs/Cisco_ISE_Syslogs_chapter_01.html

 

I know it's for ISE 2.6 but perhaps most of it (if not all) would apply for 2.4 as well.

 

I haven't checked my syslog files against this, but the page came in when I searched Google for a very specific message in the log files, so that could be it.

 

Go to solution
Arne Bier
VIP
VIP
In response to cnegrete

‎10-25-2019 01:00 PM

That's a very handy link. If memory serves me, the list you mention contains the most common events but there are events that don't have a syslog "number" and seem to be hard coded into the ISE code. I mostly had trouble with those.

 

thanks for adding this to this thread :)

0 Helpful
Customers Also Viewed These Support Documents