Solved: ISE SYSLOG message reduction

Arne Bier · ‎07-13-2017

Hello

I have enabled SYSLOG to two remote targets and I see a lot more messages being sent than I'd like to see.

Let's just say the receiving syslog server vendor likes to charge by data volume ... you know who I mean ;-)

My intention is to try reduce the amount of chaff that is being sent. The image below is a bit high res - but it shows the typical messages I am interested in (highlighted) and the rest is not interesting to me.

I am also a bit unsure what the "Local Log Level" enable/disable means ... local to what?

I can't seem to find the right settings in ISE to fine tune the messages. I thought it may be under the Debug Log Configuration, because some of the SYSLOGs that I do NOT want to see, appear to me as being as a result of debugging enabled. But I have not touched the Debug Level Configurations - not sure how they relate to the actual SYSLOGs that I see.

Anyone got some advice for me please?

hslai · ‎07-14-2017

On my phone, I can see you are mainly interest in

passed authentications
failed attempts
RADIUS accounting

Thus, add your targets to those only and remove from the others. You would be getting acct interim updates as they are in the same category as acct start.

View solution in original post

Nidhi · ‎07-14-2017

Hi Arnie,

One way to reduce the logs will be to change the log levels of categories which are not of importance , to WARN, ERROR or FATAL .

INFO level generates logs for every transaction , config change , config consumption , which normally you would not care much if everything works well.

Other way could be to remove the target syslog server from unwanted categories.

At present as far as I know , we cannot disable any logging category .

but you can raise this request with the PM team .

Thanks,

Nidhi

hslai · ‎07-14-2017

Adding to Nidhi's...

ISE syslog has many categories so please add your targets to the ones you are interested in. Your screenshots are not high enough resolution for me to tell. Each syslog entry has the category in it; e.g.

Aug 6 10:25:01 HOST/X.X.X.X CISE_Posture_and_Client_Provisioning_Audit 0000062241 4 0 2012-08-06 10:25:01.177 +01:00 0005085661 87000 NOTICE Posture: ...

The local logging refers to ISE local store logs, as shown below:

myISE/admin# show logging application | inc local

5914 Jul 14 2017 04:32:10 appserver/localhost.2017-07-14.log

--

251557 Jul 14 2017 11:42:41 localStore/iseLocalStore.log

The local store logs are under localStore so only the 2nd entry is.

The ISE debug configuration is for local debug only and does not go to syslog.

hslai · ‎07-14-2017

On my phone, I can see you are mainly interest in

passed authentications
failed attempts
RADIUS accounting

Thus, add your targets to those only and remove from the others. You would be getting acct interim updates as they are in the same category as acct start.

Arne Bier · ‎07-16-2017

You need to click on the images - the browser should enlarge them.

In the case below I only enabled Category Passed Authentications. What I am asking about is how to get rid of all the stuff there that I don't want to see, e.g. the internal ISE DeviceType stuff, what Profile was selected and the fact that Dynamic Authorization succeeded etc. In my view those are Severity level INFO and not NOTICE.

If I understand Nidhi's comments, one cannot fine tune the sub-categories within the Categories ?

I would consider setting my Logging Targets' Facility Code to LOCAL5 (NOTICE) and then I would not have to log all the INFO and DEBUG stuff.

hslai · ‎07-16-2017

You might be thinking about the Message Classes under each of the message categories as in the Message Catalog page. Then, you are correct that a logging target can only receive a category as a whole but not selectively among the message classes.

All the available parent and child categories are shown in the logging categories page. For example, the parent category "AAA Audit" has three categories -- AAA Audit, Failed Attempts, and Passed Authentications.

On my ISE, certain logging categories permit logging level changes but that applies to all the targets receiving the events from the particular category. There is no logging level setting for a remote logging target. I guess you may filter on logging levels on your syslog server.