cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1671
Views
0
Helpful
4
Replies

Monitoring ISE node as syslog destination

Kashish_Patel
Level 2
Level 2

Hi Security Experts,

We are setting up Cisco ISE (Identity Services Engine) in our network.

I have the confusion if we need to configure monitoring node IP address as the syslog destination on the access switches. In what situations is this needed and in which situations is it not needed?

PS: I rate useful posts.

Thanks,

Kashish

2 Accepted Solutions

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

Kashish,

When you look at the user authentication report, ISE also builds related syslog messages that pertain to the user connection.

This isnt mandatory but useful since it does help correlate syslog messages to the user authentication session. Here is an example of it in action:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1050132

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Exactly, ISE will attached the relevant syslog data (if you have it configured) to the report. The radius authentication will still appear no matter what.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Kashish,

When you look at the user authentication report, ISE also builds related syslog messages that pertain to the user connection.

This isnt mandatory but useful since it does help correlate syslog messages to the user authentication session. Here is an example of it in action:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1050132

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik.

So you mean that even if we don't configure monitoring ISE node IP as syslog destination on access switches, even then ISE gives details of user authentication.

Configuring the IP gives us additional details, right?

Thanks,

Kashish

Exactly, ISE will attached the relevant syslog data (if you have it configured) to the report. The radius authentication will still appear no matter what.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik. That answers my question.