Solved: Logging Administrator logins and operations in ISE 2.6

tvirtanen · ‎11-04-2019

I want to send all logs regarding Administrator logins, and what changes they have made, to a remote log server.
If I choose category "Administrative and Operational Audit" I get way too much information.
When an administrator is logged in and clicks on a menu option the log fills up with 10-20 messages. All saying the same thing:

"60080 NOTICE Administrator-Login: A SSH CLI user has successfully logged in, ConfigVersionId=555, AdminInterface=CLI, OperationMessageText=178557 Connection requested"

So instead of my assumed ~100 messages per day I get ~100000 depending on how much the admins browse around in the GUI.

I would like to know if there is a way to filter in the ISE before sending the logs to the syslog-server.
I also want to see "real" CLI-logins. Is there a way to separate those from the "internal" ones?

Anurag Sharma · ‎11-04-2019

Hi,

Unfortunately, there is no way to filter outgoing Syslog messages.

You can configure some scheduled reports as an alternative. Categories : Audit -> Administrator Logins, Change configuration Audit, etc.

HTH

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

Anurag Sharma · ‎11-04-2019

Hi,

Unfortunately, there is no way to filter outgoing Syslog messages.

You can configure some scheduled reports as an alternative. Categories : Audit -> Administrator Logins, Change configuration Audit, etc.

HTH

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.