cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1837
Views
8
Helpful
1
Replies
Highlighted
VIP Advisor

ISE and local logs - best practice advice

Hello

I am looking for some best practice advice.  My aim is to minimise the amount of logging done on a node (for the purposes of TAC debugging etc.) whilst allowing me to still see what I need to see via Reports, Live Log, Live Sessions etc in the GUI.  Am I correct in saying that the "Local Logging" tick box shown below is NOT used for the purposes of displaying useful information in the GUI (e.g. Live Logs, Reporting etc.) and rather, it's a debugging tool for advanced troubleshooting on the node's CLI?  If so, it should be quite harmless to disable this on all Logging Categories, right?  If I have a TAC case I am happy to enable this for debugging.  But it seems overkill to have this running all over the place.

My understanding is that in the case of the Logging Category shown below (Passed Authentications) the PSN sends events to MnT via Syslog and then the PAN should request that data from the MnT when needed.  Which again begs the question, why do I need this in the local logs too?

What is meant by "local" anyway, since this is a global setting?  Does it mean it will just log in the relevant cases (e.g. Passed Authentications will only create logs on a PSN where Policy Service is enabled?)

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Local Logging is going to the local file system localStore/iseLocalStore.log on each ISE node.

myISE/admin# show logging application | inc localStore

       5410 Jun 18 2018 00:04:44  localStore/iseLocalStore.log

    1009698 Jun 17 2018 23:55:42  localStore/iseLocalStore.log.2018-06-17-00-00-00-340

The default settings are usually good enough and not generating too much and the default local log settings is to keep up to 1 day.

It's good to have some local logs because we may refer to them in an ISE support bundle to check events and not needing to get copies of the M&T reports. They are also useful in case MnT nodes having some problem.

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Local Logging is going to the local file system localStore/iseLocalStore.log on each ISE node.

myISE/admin# show logging application | inc localStore

       5410 Jun 18 2018 00:04:44  localStore/iseLocalStore.log

    1009698 Jun 17 2018 23:55:42  localStore/iseLocalStore.log.2018-06-17-00-00-00-340

The default settings are usually good enough and not generating too much and the default local log settings is to keep up to 1 day.

It's good to have some local logs because we may refer to them in an ISE support bundle to check events and not needing to get copies of the M&T reports. They are also useful in case MnT nodes having some problem.

View solution in original post

Content for Community-Ad