Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4783
Views
0
Helpful
2
Replies

ISE Logging, Retention, and archiving

Steven Williams
Level 4
Level 4

‎09-06-2019 06:23 AM

I am curious to understand more about the options of how to retain logs for more than a few days and what ability there is to archive to something like an S3 bucket. 

 

I am trying to retain about 30-60 days of logs especially tacacs logins, and tacacs command accounting. 

 

What are people doing? I am running ISE 2.2 on VM. 

0 Helpful
2 Replies 2

Colby LeMaire
VIP Alumni
VIP Alumni

‎09-06-2019 06:51 AM

Unless you have a small appliance and a crazy amount of activity, the ISE database should be able to hold more than a few days of logging data.  Unless you have your operational data purging configured to a small number of days.  What most customers do is forward Syslog events for authentication to a Syslog server to keep it for audit/compliance reasons.  Usually the Security teams want those logs anyway for their SIEM tools.  Configure an external Syslog server and then configure which types of logs you want to send to that server.

The other way is to do a daily backup of the operational data to an SFTP, FTP, NFS, or other server/repository.  But that data is not as easy to parse as Syslog is.  That is more so in case you have to rebuild your ISE environment and want to restore the operational data.  Syslog is what you are looking for.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎09-06-2019 09:07 AM

ISE isn't great as a long term log storage platform, however you can still modify the length of log storage from the following page.
https://<ise IP>/admin/#administration/administration_system/administration_system_backup/data_purging


You can send logs to an external syslog server and I would say it is more commonly done than adjusting the internal logging retention period. The downside to the retention period is that ISE will automatically start purging before the days specified if it is running out of storage. This is automated and to protect ISE from running out of logging space.

To send logs for remote storage you would first define a remote log target here.
https://<ise IP>/admin/#administration/administration_system/administration_system_logging/remote_log

Then assign the new log target/server to categories you want to forward here.
https://<ise IP>/admin/#administration/administration_system/administration_system_logging/logging_categories
0 Helpful
Customers Also Viewed These Support Documents