cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

328
Views
0
Helpful
1
Replies
Highlighted
Beginner

ISE logging filter

Hi all,

 

we noticed that our operational backup is now up to 25GB large, which is too large from our perspectiv. After some research we found out, that with deploying DNA Center, the amount of authorization log data incrises rapidly. This is because DNAC is collecting a lot of show outputs, when you enable device controlability. This kind of logs have no benefit to us, so we want to implement a filter, which drops all authorization logs from a special user starting with "show". Does someone know, if this is possible and how to configure such a filter?

 

Best regards,

Tobias

1 REPLY 1
Highlighted
VIP Advisor

Most deployments don't back up the operational logs and just accept that in the event of monitoring node failures they just lose the historical logging. Most send the syslogs they want to something like splunk anyways. Losing the operation logs is an admin impact, and not a functional one. 

 

You can filter your TACACS/RADIUS logs in the way you want by setting up a collection filter. You can do this from administration > logging > collection filters.

https://<ise admin ip>/admin/#administration/administration_system/administration_system_logging/collection_filters

 

TACACS filtering will only work if you are on ISE 2.4p6+ or 2.6+. 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb45390