Solved: Re: ISE local logs purge settings

fepetruz · ‎08-09-2017

Hi,

I would like to clarify with a behavior related to the local logs purge settings, as from following link:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01010.html#task_45D4F2EFA1D9486093DFD2F3B44AC165

We are using the “local Log Storage Period” and “Delete Logs Now” settings, but the logs are not removed. Based on several trials into the GUI, we are observing that the logs are deleted only if the storage is full. Otherwise the logs are not deleted.

Based on that, the question is: Using the above local logs settings, is it true that local log is not removed until the log space reach the threshold?

From the admin guide I understand that when you set a purge time, or especially if you use the setting “Delete Logs Now”, it should delete the logs, independently from the storage space.

The concern come from the need to delete all the Guest information from ISE every X days. We know this is possible thanks to the "Schedule purge of expired guest accounts”, but in the following admin guide (https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html#ID1242) is well explained that "When expired guest accounts are purged, the associated endpoints and reporting and logging information are retained”.

This is the reason why we are looking for the local logs purge settings, because of the need to automatically delete ALL the Guest info in ISE, also the reporting and logging Guest information.

Thanks in advance for your support.

Jason Kunst · ‎08-09-2017

I am researching but your initial findings sound correct.

The disk would be full before cleaning it out, this way we are able to keep the max amount of logs as possible before customers have to think about an external system to keep more of the logs for their retention policy.

View solution in original post

Jason Kunst · ‎08-09-2017

I am researching but your initial findings sound correct.

The disk would be full before cleaning it out, this way we are able to keep the max amount of logs as possible before customers have to think about an external system to keep more of the logs for their retention policy.

Jason Kunst · ‎08-09-2017

keep in mind

localStore logs are local copies of events that sending over to M&T. They are good for debugging.

usually we keep 7 days only.

fepetruz · ‎08-10-2017

Thanks for the help!

So you confirm that even using the "Delete Logs Now" option for example, it doesn't delete the logs in that moment (now), but we have to wait anyway that the memory will be full?

It seems weird to me because in this way these settings (also the "local Log Storage Period") are not useful anymore, but trying to play with it seems to be like that.

Could I ask then, is there any alternative way to automatically delete the logs without waiting that the memory become full?

Thanks again!

hslai · ‎08-10-2017

See my response to Guest account data privacy concern

Arne Bier · ‎03-28-2018

Hi Frederico

did you ever get a satisfactory answer to your question? I am on the same page as you. My nodes are becoming logging graveyards and I cannot purge these things via the GUI. I was generous enough to create my PAN nodes with 1.2TB of data (stupid, right ?) and now it seems to cause ISE to retain my logs forever since I have so much disk space.

The problem is that logs are contained inside config backups (now that is really stupid). And every config backup I make contains months worth of logs that nobody needs.

In my mind, a "purge all data now" means exactly that.

If I rebuild my ISE nodes for ISE 2.4 "upgrade" then I will make them 200GB - saves resources too.

I don't need GB's of Java heap errors logged for any reason.

hslai · ‎03-28-2018

We have some log-rotation bugs and most of them have been resolved in patch releases, such as CSCva95303.

Regarding the CFG backups with logs, it's a known issue -- CSCuq59764.

As mentioned in other comments, the web UI options are for operational data and iseLocalStore log files but not for debug log files. Please open a Cisco TAC case so TAC may help purging the debug log files.

Arne Bier · ‎04-02-2018

Hi

regarding known issue CSCuq59764, this has been around since ISE 1.2 - what are the chances of getting this sorted? Is the intention to create a Config Backup that does not contain any logs? That would be great.

regards

Arne

Beacon Bits · ‎12-06-2018

Is there any solution we have to this at the end, let me guess NO!

I'm running ISE 2.4 in cluster and Primary getting disconnected because of logs are full.

What other ways we have to delete logs?

Please help!

Regards,

B

Surendra · ‎12-06-2018

I would suggest you start a new thread with details such as show disks output from the effected node. 2.4 have no known disk full issues as such AFAIK.