Solved: Log analytics with elk for monitoring reports

jagritibhardwaj471 · ‎03-31-2024

In Ise version 3.3 there is a feature of System 360 that includes Monitoring and Log Analytics, with elk monitoring , I want to fetch the radius accounting logs for the last 90 days. Will this feature be able to fetch logs of last 90 days and if not , then logs of how many days can be retrieved using this feature?

ahollifield · ‎04-01-2024

No, log analytics only has a 7 day retention time.

View solution in original post

Arne Bier · ‎04-01-2024

@jagritibhardwaj471 - I was also surprised to learn that Log Analytics only retains 7 days (I guess I should read that link in more detail) - perhaps the answer lies in the Data Connect feature (ODBC/JDBC) to fetch data from the MNTs using SQL queries.

Administration > System > Data Connect

There are SQL tools like SQuirreL SQL Client Home Page (sourceforge.io) or Download SQL Server Management Studio (SSMS) - SQL Server Management Studio (SSMS) | Microsoft Learn to visually inspect and fetch data from the ISE database when Data Connect is enabled.

View solution in original post

balaji.bandi · ‎04-01-2024

As per the i know ISE 3.3 Log analytics - how the system performing - check the admin guide - System 360

check the data retained as mentioned in the document.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_maintain_monitor.html#c_system360

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ahollifield · ‎04-01-2024

No, log analytics only has a 7 day retention time.

Arne Bier · ‎04-01-2024

@jagritibhardwaj471 - I was also surprised to learn that Log Analytics only retains 7 days (I guess I should read that link in more detail) - perhaps the answer lies in the Data Connect feature (ODBC/JDBC) to fetch data from the MNTs using SQL queries.

Administration > System > Data Connect

There are SQL tools like SQuirreL SQL Client Home Page (sourceforge.io) or Download SQL Server Management Studio (SSMS) - SQL Server Management Studio (SSMS) | Microsoft Learn to visually inspect and fetch data from the ISE database when Data Connect is enabled.

jagritibhardwaj471 · ‎04-01-2024

That means the only way to collect last 90 days radius accounting logs is via data connect ?? But in my case , we are working with Ise release 2.7 and data connect is a feature for versions starting from release 3.2 . Does that conclude that we have no other way to collect historic radius accounting logs apart from data connect ?

ahollifield · ‎04-02-2024

<>
[logo-open-graph.gif]
Cisco Identity Services Engine 2.7 - End of Life Announcement for the Cisco Identity Services Engine Software Version 2.7<>
cisco.com<>
What is your use-case for needing 90 days of accounting logs? Why not use a Syslog collector instead?

jagritibhardwaj471 · ‎04-02-2024

Actually my purpose is to collect the radius accounting logs of last 90 days , we have to generate reports according to that .

ahollifield · ‎04-02-2024

Why? What value would RADIUS accounting give you? What exactly are you looking for in the accounting logs?

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

jagritibhardwaj471 · ‎04-02-2024

My bad I was actually looking to get radius authentication logs and not radius accounting logs.

ahollifield · ‎04-02-2024

Got it, this is where you should be sending Syslogs to an external Syslog server. ISE isn’t necessarily designed for long term data collection, reporting, correlation, etc this would be the job of a product such as Splunk or a SIEM.

adamscottmaster2013 · ‎04-02-2024

Stay away from Splunk. It is an overprice product.

ElasticSearch is a good product, free because it is an opensource. You can purchase support if needed, so much cheaper than Splunk. Elastic Search is also running in Cisco ISE. If it is good enough for Cisco, it is good enough for most enterprise environment. Very easily deployed in AWS.