Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1569
Views
0
Helpful
1
Replies

ISE logging filter

tobiasdreyer
Level 1
Level 1

‎09-04-2020 06:46 AM

Hi all,

 

we noticed that our operational backup is now up to 25GB large, which is too large from our perspectiv. After some research we found out, that with deploying DNA Center, the amount of authorization log data incrises rapidly. This is because DNAC is collecting a lot of show outputs, when you enable device controlability. This kind of logs have no benefit to us, so we want to implement a filter, which drops all authorization logs from a special user starting with "show". Does someone know, if this is possible and how to configure such a filter?

 

Best regards,

Tobias

0 Helpful
1 Reply 1

Damien Miller
VIP Alumni
VIP Alumni

‎09-04-2020 08:55 PM - edited ‎09-04-2020 08:56 PM

Most deployments don't back up the operational logs and just accept that in the event of monitoring node failures they just lose the historical logging. Most send the syslogs they want to something like splunk anyways. Losing the operation logs is an admin impact, and not a functional one. 

 

You can filter your TACACS/RADIUS logs in the way you want by setting up a collection filter. You can do this from administration > logging > collection filters.

https://<ise admin ip>/admin/#administration/administration_system/administration_system_logging/collection_filters

 

TACACS filtering will only work if you are on ISE 2.4p6+ or 2.6+. 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb45390

 

 

0 Helpful
Customers Also Viewed These Support Documents