10-02-2024 03:26 AM
Hi all,
We need to retrieve logs related to recent changes in the Network Device Group settings. I have already checked the "Message Catalog" section, but I couldn’t find anything useful due to the large number of entries (over 2,000).
Do you know if this type of log are available?
Solved! Go to Solution.
10-02-2024 09:07 AM
The ISE reports are very limited which is why I prefer to use the ISE Data Connect feature to perform direct SQL queries against the database views. This should allow you to query all rows in the database and not just the last 30 days, assuming you have extended your Administration > System > Maintenance > Operational Data Purging > Data Retention Period settings to longer than the default 30 days.
We explain how I use Data Connect in our ISE Webinars (archived to our CiscoISE YouTube Channel
48:32 ISE Data Connect
iseql.py
: https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py▷ Next Generation ISE Telemetry, Monitoring, and Custom Reporting Part 2
08:10 Data Connect (ISE 3.2 and later)
10:52 Data Connect Deployment Scenarios
12:56 Using Data Connect
14:12 - Enable Data Connect (GUI)
16:38 - Enable Data Connect (API)
17:16 - Repository for Examples: https://github.com/EmmanuelCano/DataConnect/
17:49 - Certificate Export / Import
19:48 - Monitoring Alarms, Reports, and Log (ise-psc.log)
21:11 Demos Overview
22:40 Demo: Enable Data Connect : GUI and Python REST API Script
24:43 Demo: Verify Change Configuration Audit Report
25:38 Demo: Data Connect Certificate Export and Import for Java Keystore (for JDBC)
27:06 Demo: Data Connect with DB Visualizer
29:36 Data Connect Views (read-only)
The admin configuration changes to Network Device Group (NDG) settings would be logged in the Change Configuration Audit report along with all other configuration changes. Change Configuration Audit is replicated in a Data Connect table which contains many additional useful columns that you cannot get in the basic ISE reports!
I found the Network Device Groups config changes with the following SQL query using my iseql.py script:
-- ISE Change Configuration Audit Report SELECT timestamp, -- Time when record added (TIMESTAMP(6)) admin_name, -- Name of the admin who made config change details, -- Details of the event event, -- Config change done failure_flag, -- Failure flag host_id, -- Hostname of ISE node on which change is done -- id, -- Database unique ID interface, -- Interface used for login GUI/CLI ise_node, -- Hostname of ISE node -- applied_to_acs_instance, -- ISE nodes to which change is applied -- local_mode, -- Local mode message_class, -- Message class message_code, -- Message code -- modified_properties, -- Modified properties nas_ip_address, -- IP address of NAD -- nas_ipv6_address, -- IPV6 address of NAD -- operation_message_text, -- Operation details -- request_response_type, -- Type of request response -- requested_operation, -- Operation done -- object_id, -- Object ID object_name, -- Name of object for which config is changed object_type --, -- Type of object for which config is changed FROM change_configuration_audit WHERE object_type = 'Network Device Groups' -- FETCH FIRST 10 ROWS ONLY
10-02-2024 05:04 AM - edited 10-02-2024 05:06 AM
If the device configured and sending information to ISE, then you should see audit logs what changes made at switch or Router or device.
Operation --Reports---Reports - you see audit reports.
10-02-2024 06:06 AM - edited 10-02-2024 06:17 AM
Thanks, @balaji.bandi. I’ve just exported the report from the "Adaptive Network Control Audit" section. However, I noticed that I can only retrieve data starting from the beginning of September
Do you know the maximum retention period for these reports?
EDIT: This could be a possible answer to my question
10-02-2024 09:07 AM
The ISE reports are very limited which is why I prefer to use the ISE Data Connect feature to perform direct SQL queries against the database views. This should allow you to query all rows in the database and not just the last 30 days, assuming you have extended your Administration > System > Maintenance > Operational Data Purging > Data Retention Period settings to longer than the default 30 days.
We explain how I use Data Connect in our ISE Webinars (archived to our CiscoISE YouTube Channel
48:32 ISE Data Connect
iseql.py
: https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py▷ Next Generation ISE Telemetry, Monitoring, and Custom Reporting Part 2
08:10 Data Connect (ISE 3.2 and later)
10:52 Data Connect Deployment Scenarios
12:56 Using Data Connect
14:12 - Enable Data Connect (GUI)
16:38 - Enable Data Connect (API)
17:16 - Repository for Examples: https://github.com/EmmanuelCano/DataConnect/
17:49 - Certificate Export / Import
19:48 - Monitoring Alarms, Reports, and Log (ise-psc.log)
21:11 Demos Overview
22:40 Demo: Enable Data Connect : GUI and Python REST API Script
24:43 Demo: Verify Change Configuration Audit Report
25:38 Demo: Data Connect Certificate Export and Import for Java Keystore (for JDBC)
27:06 Demo: Data Connect with DB Visualizer
29:36 Data Connect Views (read-only)
The admin configuration changes to Network Device Group (NDG) settings would be logged in the Change Configuration Audit report along with all other configuration changes. Change Configuration Audit is replicated in a Data Connect table which contains many additional useful columns that you cannot get in the basic ISE reports!
I found the Network Device Groups config changes with the following SQL query using my iseql.py script:
-- ISE Change Configuration Audit Report SELECT timestamp, -- Time when record added (TIMESTAMP(6)) admin_name, -- Name of the admin who made config change details, -- Details of the event event, -- Config change done failure_flag, -- Failure flag host_id, -- Hostname of ISE node on which change is done -- id, -- Database unique ID interface, -- Interface used for login GUI/CLI ise_node, -- Hostname of ISE node -- applied_to_acs_instance, -- ISE nodes to which change is applied -- local_mode, -- Local mode message_class, -- Message class message_code, -- Message code -- modified_properties, -- Modified properties nas_ip_address, -- IP address of NAD -- nas_ipv6_address, -- IPV6 address of NAD -- operation_message_text, -- Operation details -- request_response_type, -- Type of request response -- requested_operation, -- Operation done -- object_id, -- Object ID object_name, -- Name of object for which config is changed object_type --, -- Type of object for which config is changed FROM change_configuration_audit WHERE object_type = 'Network Device Groups' -- FETCH FIRST 10 ROWS ONLY
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide