Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
0
Helpful
6
Replies

Remote Syslog Settings

Mstuetzel
Level 1
Level 1

‎02-10-2020 10:00 AM

Working on forwarding Radius accounting logs to a remote syslog (secure) In our lab that has PAN/PSN/MNT all on the same node it looks to be working correctly but our production has PAN/MNT and PSN separated. What server actually forwards the logs. I believe I read that the MNT should handle this job but we are not seeing any logs.

0 Helpful
6 Replies 6

Francesco Molino
VIP Alumni
VIP Alumni

‎02-10-2020 10:44 AM

Hi

 

You can check out on the ISE node communication to know every flows by nodes. This design can be found in the administration guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

 

Here the picture:

image.png

 

Have you checked if you see logs coming from PSN nodes?

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Mstuetzel
Level 1
Level 1
In response to Francesco Molino

‎02-10-2020 10:51 AM

hmm will have to see. from the tcpdump I don't see any packets for those destinations on the psns or the pan/mnt the document is helpful but I don't see the option for a remote logging server to offload the logs.
0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎02-10-2020 11:11 AM

You will get forwarded syslogs directly from the PSNs. Adding a remote syslog target means they still send to the MNT, but the MNT doesn't actually forward them, the PSNs will send the same logs twice.
0 Helpful

Mstuetzel
Level 1
Level 1
In response to Damien Miller

‎02-10-2020 11:49 AM

I ran pcaps on ISE pan for the PSNs while the other team was watching from logs the only logs he was able to see was from the Admin node for alarms or configuration changes. not seeing anything from the PSNs or the PAN/MNT for radius accounting logs. I also setup an alarm for the remote server blocked access to it but the alarm never tripped as soon as I removed the ACL it started sending the normal system logs not radius accounting logs.
0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to Mstuetzel

‎02-10-2020 01:18 PM

Have you done the following? It takes two steps to export syslogs to a remote target, defining the target, and defining the remote target on the log categories.  

Step 1 - Define the external syslog server as a remote logging target. Click add on this page and fill in the required details.

remote-log-targ.jpg

 

Step 2 - Add your new remote logging target (external syslog server) to the logging categories you want to export. Radius accounting as an example.  
remote-logging.jpg

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Mstuetzel

‎02-10-2020 05:46 PM

Damien already replied.
As he mentioned, you'll need to define which logs you want to export to your remote target.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents