cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

354
Views
0
Helpful
3
Replies
Highlighted
Beginner

Live Logs for TrustSec?

Is there a feature like RADIUS Live Logs for TrustSec?

I want to be able to see if someone is hitting a SGACL rule for troubleshooting and auditing.

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Re: Live Logs for TrustSec?

These statistics are not reported to ISE. You are only able to view hits on the SGACL where the enforcement takes place. On a 3850 for example, you can run show cisco trustSec role-based counters ipv4 to see hits incrementing, but it is not split by IP, just SGT to SGT.

You can export deny and drop events via netflow to something like stealthwatch. I have not done this before, so i'm not certain what the reporting looks like on the collector.

This is one area that I think is a challenge with TrustSec, you decentralize your enforcement away from firewalls that log in great detail.

View solution in original post

Highlighted
Cisco Employee

Re: Live Logs for TrustSec?

Yes, there is/was a report in ISE reporting on SGACL drops but the ONLY platform that exported drop information is/was the Cat6500. This is not something that has been expanded to other platforms and has not been maintained; that feature is not of use to you as it stands.

Your friend here is the 'log' keyword at the end of the SGACE's, for example, 'deny ip log'. This will generate syslog messages for hits which can be reported on via the likes of SIEM tools like Splunk for example.

And as was stated, Stealthwatch can receive Netflow records with SGT/DGT information and can report on flows in the network and hence, enforcement operation deduced.

There are programs in place to provide further tools for enhancing visibility, stay tuned...

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Re: Live Logs for TrustSec?

These statistics are not reported to ISE. You are only able to view hits on the SGACL where the enforcement takes place. On a 3850 for example, you can run show cisco trustSec role-based counters ipv4 to see hits incrementing, but it is not split by IP, just SGT to SGT.

You can export deny and drop events via netflow to something like stealthwatch. I have not done this before, so i'm not certain what the reporting looks like on the collector.

This is one area that I think is a challenge with TrustSec, you decentralize your enforcement away from firewalls that log in great detail.

View solution in original post

Highlighted
Beginner

Re: Live Logs for TrustSec?

Thanks,

I did see a report in ISE that was for SGACL Drops and it reinforced what you said that netflow would have to be enabled on the switch to report these events to ISE

Highlighted
Cisco Employee

Re: Live Logs for TrustSec?

Yes, there is/was a report in ISE reporting on SGACL drops but the ONLY platform that exported drop information is/was the Cat6500. This is not something that has been expanded to other platforms and has not been maintained; that feature is not of use to you as it stands.

Your friend here is the 'log' keyword at the end of the SGACE's, for example, 'deny ip log'. This will generate syslog messages for hits which can be reported on via the likes of SIEM tools like Splunk for example.

And as was stated, Stealthwatch can receive Netflow records with SGT/DGT information and can report on flows in the network and hence, enforcement operation deduced.

There are programs in place to provide further tools for enhancing visibility, stay tuned...

View solution in original post