cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
227
Views
4
Helpful
3
Replies

Log messages about Network Device Group changes

bassomarco1998
Level 1
Level 1

Hi all,

We need to retrieve logs related to recent changes in the Network Device Group settings. I have already checked the "Message Catalog" section, but I couldn’t find anything useful due to the large number of entries (over 2,000).

Do you know if this type of log are available?

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

The ISE reports are very limited which is why I prefer to use the ISE Data Connect feature to perform direct SQL queries against the database views. This should allow you to query all rows in the database and not just the last 30 days, assuming you have extended your Administration > System > Maintenance > Operational Data Purging > Data Retention Period settings to longer than the default 30 days.

We explain how I use Data Connect in our ISE Webinars (archived to our CiscoISE YouTube Channel

How to Get Data Out of ISE:

48:32 ISE Data Connect

▷ Next Generation ISE Telemetry, Monitoring, and Custom Reporting Part 2 

08:10 Data Connect (ISE 3.2 and later)
10:52 Data Connect Deployment Scenarios
12:56 Using Data Connect
14:12 - Enable Data Connect (GUI)
16:38 - Enable Data Connect (API)
17:16 - Repository for Examples: https://github.com/EmmanuelCano/DataConnect/
 - Certificate Export / Import
19:48 - Monitoring Alarms, Reports, and Log (ise-psc.log)
21:11 Demos Overview
 Demo: Enable Data Connect : GUI and Python REST API Script
24:43 Demo: Verify Change Configuration Audit Report
25:38 Demo: Data Connect Certificate Export and Import for Java Keystore (for JDBC)
27:06 Demo: Data Connect with DB Visualizer
29:36 Data Connect Views (read-only)

The admin configuration changes to Network Device Group (NDG) settings would be logged in the Change Configuration Audit report along with all other configuration changes. Change Configuration Audit is replicated in a Data Connect table which contains many additional useful columns that you cannot get in the basic ISE reports!

I found the Network Device Groups config changes with the following SQL query using my iseql.py script:

-- ISE Change Configuration Audit Report
SELECT
  timestamp, -- Time when record added (TIMESTAMP(6))
  admin_name, -- Name of the admin who made config change
  details, -- Details of the event
  event, -- Config change done
  failure_flag, -- Failure flag
  host_id, -- Hostname of ISE node on which change is done
  -- id, -- Database unique ID
  interface, -- Interface used for login GUI/CLI
  ise_node, -- Hostname of ISE node
  -- applied_to_acs_instance, -- ISE nodes to which change is applied
  -- local_mode, -- Local mode
  message_class, -- Message class
  message_code, -- Message code
  -- modified_properties, -- Modified properties
  nas_ip_address, -- IP address of NAD
  -- nas_ipv6_address, -- IPV6 address of NAD
  -- operation_message_text, -- Operation details
  -- request_response_type, -- Type of request response
  -- requested_operation, -- Operation done
  -- object_id, -- Object ID
  object_name, -- Name of object for which config is changed
  object_type            --, -- Type of object for which config is changed
FROM change_configuration_audit
WHERE object_type = 'Network Device Groups'
-- FETCH FIRST 10 ROWS ONLY

 

 

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

If the device configured and sending information to ISE, then you should see audit logs what changes made at switch or Router or device.

Operation --Reports---Reports - you see audit reports.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks, @balaji.bandi. I’ve just exported the report from the "Adaptive Network Control Audit" section. However, I noticed that I can only retrieve data starting from the beginning of September

Do you know the maximum retention period for these reports?

EDIT: This could be a possible answer to my question 

thomas
Cisco Employee
Cisco Employee

The ISE reports are very limited which is why I prefer to use the ISE Data Connect feature to perform direct SQL queries against the database views. This should allow you to query all rows in the database and not just the last 30 days, assuming you have extended your Administration > System > Maintenance > Operational Data Purging > Data Retention Period settings to longer than the default 30 days.

We explain how I use Data Connect in our ISE Webinars (archived to our CiscoISE YouTube Channel

How to Get Data Out of ISE:

48:32 ISE Data Connect

▷ Next Generation ISE Telemetry, Monitoring, and Custom Reporting Part 2 

08:10 Data Connect (ISE 3.2 and later)
10:52 Data Connect Deployment Scenarios
12:56 Using Data Connect
14:12 - Enable Data Connect (GUI)
16:38 - Enable Data Connect (API)
17:16 - Repository for Examples: https://github.com/EmmanuelCano/DataConnect/
 - Certificate Export / Import
19:48 - Monitoring Alarms, Reports, and Log (ise-psc.log)
21:11 Demos Overview
 Demo: Enable Data Connect : GUI and Python REST API Script
24:43 Demo: Verify Change Configuration Audit Report
25:38 Demo: Data Connect Certificate Export and Import for Java Keystore (for JDBC)
27:06 Demo: Data Connect with DB Visualizer
29:36 Data Connect Views (read-only)

The admin configuration changes to Network Device Group (NDG) settings would be logged in the Change Configuration Audit report along with all other configuration changes. Change Configuration Audit is replicated in a Data Connect table which contains many additional useful columns that you cannot get in the basic ISE reports!

I found the Network Device Groups config changes with the following SQL query using my iseql.py script:

-- ISE Change Configuration Audit Report
SELECT
  timestamp, -- Time when record added (TIMESTAMP(6))
  admin_name, -- Name of the admin who made config change
  details, -- Details of the event
  event, -- Config change done
  failure_flag, -- Failure flag
  host_id, -- Hostname of ISE node on which change is done
  -- id, -- Database unique ID
  interface, -- Interface used for login GUI/CLI
  ise_node, -- Hostname of ISE node
  -- applied_to_acs_instance, -- ISE nodes to which change is applied
  -- local_mode, -- Local mode
  message_class, -- Message class
  message_code, -- Message code
  -- modified_properties, -- Modified properties
  nas_ip_address, -- IP address of NAD
  -- nas_ipv6_address, -- IPV6 address of NAD
  -- operation_message_text, -- Operation details
  -- request_response_type, -- Type of request response
  -- requested_operation, -- Operation done
  -- object_id, -- Object ID
  object_name, -- Name of object for which config is changed
  object_type            --, -- Type of object for which config is changed
FROM change_configuration_audit
WHERE object_type = 'Network Device Groups'
-- FETCH FIRST 10 ROWS ONLY