Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
10
Helpful
3
Replies

ISE operational backup content to syslog instead of backups

Go to solution
wags
Level 1
Level 1

‎07-19-2022 10:03 AM

We found this thread: https://community.cisco.com/t5/network-access-control/ise-operational-backup-content/td-p/4184440  where it indicates that the Operational Data Backup contained basically RADIUS and TACACS logs.

We log most RADIUS and TACACS data to syslog from ISE already, which means that the backups are potentially quite a bit of redundant data, and excess storage usage.

What logging options on ISE would allow us to log all the operational data to syslog and then not worry about the operational data backup at all?  Is that even possible?

We fully understand that sysylog will require different talents to generate reports than the GUI, but we already have talent in shop and would only need to determine the various record layouts.

ISE v3.1+ patches

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-19-2022 10:25 AM

This is pretty easy to do and done quite frequently. It won't be done as a backup but as a new syslog exporter.

  1. Create a new remote logging target here https://<your-ise-node>/admin/#administration/administration_system/administration_system_logging/remote_log
    rlt.JPG

  2. Add the new syslog target to the logging categories here https://your-ise-node/admin/#administration/administration_system/administration_system_logging/logging_categories
    lc.JPG

    Depending on what you want to report from the syslog server you will need to enable those logging categories for export. To start you would probably want aaa authentication failed and passed, aaa radius and tacacs accounting as that's the primary data found within the operational backup. 

View solution in original post

3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-19-2022 10:25 AM

This is pretty easy to do and done quite frequently. It won't be done as a backup but as a new syslog exporter.

  1. Create a new remote logging target here https://<your-ise-node>/admin/#administration/administration_system/administration_system_logging/remote_log
    rlt.JPG

  2. Add the new syslog target to the logging categories here https://your-ise-node/admin/#administration/administration_system/administration_system_logging/logging_categories
    lc.JPG

    Depending on what you want to report from the syslog server you will need to enable those logging categories for export. To start you would probably want aaa authentication failed and passed, aaa radius and tacacs accounting as that's the primary data found within the operational backup. 

Go to solution
wags
Level 1
Level 1
In response to Damien Miller

‎07-19-2022 10:44 AM

Thanks for the reply!   Do you know where there might be specific Cisco documentation?  Something that we can point to for an auditor who might think differently about the subject?

We have those already set up because we have historically used syslog so heavily. Again thanks!

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to wags

‎07-19-2022 03:47 PM

Hi @wags ,

 please try the following: Cisco ISE Maintain and Monitor, search for Cisco ISE Logging Mechanism.

 

Hope this helps !!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents