Solved: ISE logging Explanation

jogorham · ‎08-31-2017

I am looking for a document that will explains the following.

What activities are covered by the “Accounting” and “Administrative and Operational Audit” logging categories?
Which of the events logs the changes to ISE profiling policies, registered MAC addresses (MAB), dACLs, SGTs?
Which logs account for the creation of new local accounts? The modification of access rights for accounts?
Which log identifies when an ISE log is “cleared”?
Can the ISE logs distinguish between actions performed by human accounts versus system accounts?

Craig Hyps · ‎08-31-2017

Many generic items so assume you are responding to RFP or other tender.

Recommend start here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011011.html#ID1116

Many reports available to track changes and any relevant event under Operations > Reports > Audit

Auth events will track the assignment of dACL or SGT. MAB is an auth event, not a config event. Not all config changes are detailed. When config changed, you may trigger config audit event against that admin, but may not spell out the exact detail of every change. Debug logs can track minute changes system, but not common or recommended to keep those enabled.

Log purging:

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Monitoring and Troubleshooting [Cisco Identity Servic…

60198 MnT purge event occurred

Not clear on ask of human vs system accounts. The creds presented will represent identity. In some cases the access method may help dictate such as API vs UI.

Craig

View solution in original post

Craig Hyps · ‎08-31-2017

Many generic items so assume you are responding to RFP or other tender.

Recommend start here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011011.html#ID1116

Many reports available to track changes and any relevant event under Operations > Reports > Audit

Auth events will track the assignment of dACL or SGT. MAB is an auth event, not a config event. Not all config changes are detailed. When config changed, you may trigger config audit event against that admin, but may not spell out the exact detail of every change. Debug logs can track minute changes system, but not common or recommended to keep those enabled.

Log purging:

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Monitoring and Troubleshooting [Cisco Identity Servic…

60198 MnT purge event occurred

Not clear on ask of human vs system accounts. The creds presented will represent identity. In some cases the access method may help dictate such as API vs UI.

Craig

ISE logging Explanation

Logging em Roteadores e Switches Cisco

Thanks for explanation

Cisco IOS/IOS-XE에서 Logging 설정 하기

excellent explanation .

Troubleshoot Cisco ISE