Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1808
Views
15
Helpful
3
Replies

Managing ISE backups

Go to solution
Steven Williams
Level 4
Level 4

‎04-16-2019 05:45 AM

My ISE database has increased the usage of the application has began to ramp up so obviously my backups are growing large. Currently I am backing up operational once a week and configuration daily. Is this too much? My daily's are about 1.5G and the operational is about 10G. Is there a way to manage the retention within ISE? Like say only keep 3 days worth, or do I need to create a batch script to purge these?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎04-16-2019 06:14 AM

I don't backup the operational database on any of my customers.  We usually rely on external log destinations for long term data retention of log data.  If I need to rebuild ISE I am only worried about recovering the configuration data.  I usually backup the ISE configuration once a week.  There is no retention policies in ISE so you need to setup cron jobs on your backup server to manage the ISE backup retention.

 

 

View solution in original post

3 Replies 3

Go to solution
paul
Level 10
Level 10

‎04-16-2019 06:14 AM

I don't backup the operational database on any of my customers.  We usually rely on external log destinations for long term data retention of log data.  If I need to rebuild ISE I am only worried about recovering the configuration data.  I usually backup the ISE configuration once a week.  There is no retention policies in ISE so you need to setup cron jobs on your backup server to manage the ISE backup retention.

 

 

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-16-2019 06:24 AM - edited ‎04-16-2019 06:41 AM

I'm with Paul, we don't back up any of the RADIUS/TACACS logs within customer deployments either. Something like splunk is the long term storage. Not to say we have never done it, I once rebuilt a MNT and took a one time backup to restore. It works, it just took forever.


Edit: you can probably ignore this, realized you were asking about backup file retention. Sadly a missing feature in ise. 
By default ISE keeps 30 days of RADIUS and TACACS logs. You can manage the retention of that in the Operational Data Purging menu. If you reduce the time here, you will inhibit the ability to run historical reports. So you could change this to 3 days, but sometimes a week of logs is helpful for troubleshooting, I wouldn't go that short.
https://<ise pan IP>/admin/#administration/administration_system/administration_system_backup/data_purging

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎04-16-2019 03:12 PM

I also don't advocate Operational Backups since I have never had the need for it (nor do my customers).  The authentication records get stored on a SYSLOG server somewhere.

I am also still annoyed with the size of Config Backups because they contain more than just configs.  If you're curious then pick one of those file apart and see what junk lies inside. But we have no choice.  And ISE doesn't do any housekeeping of its backups either.  So I devised my own method, assuming your backups live on a Linux host

https://community.cisco.com/t5/security-documents/simple-linux-cron-job-to-manage-ise-backup-files/ta-p/3642165

 

Customers Also Viewed These Support Documents