Sending Alarms via Syslog

giosif · ‎02-27-2018

Hello,

I have a customer who is looking to monitor their ISE deployment via Syslog and they are particularly interested in receiving the alarms generated in ISE via Syslog.

On initial testing, however, they noticed the format of a Syslog message for an alarm does not follow the structure detailed in our documentation.

Q1: As such, their first request is if there is any documentation on the structure of Syslog messages for alarms.

The next issue they raised is that, apparently, the Syslog messages ISE sends for alarms might not be sent in the standard format of Syslog messages (e.g. not RFC compliant).

Q2: Can someone please confirm whether this statement is true?

Q3: Finally, the customer is looking for a list of all alarm related Syslog messages that ISE can send out.

It's the equivalent of https://www.cisco.com/c/dam/en/us/td/docs/security/ise/2-0/message_catalog/Cisco_Identity_Services_Engine_Log_Messages_2… , but for Syslog messages for alarms.

The ISE version being used is 2.2.

Thank you!

Arne Bier · ‎02-27-2018

I am curious to know what issues you have found. I just went nuts and sent all syslogs to Splunk - and Splunk is loving it so far. With the right plugins it decodes a whole bunch.

Using ISE 2.3p2

Regarding the catalogue of all possible syslog events - that's a fair thing to ask and I would be interested in that too.

e.g. I was surprised to find out that when my application server restarts, no SYSLOG is sent. You can have a PSN Application Server stuck in init for days and nobody will know.

hslai · ‎03-04-2018

The Alarm Settings page should have all the alarms ISE will send. Anything missing should be considered as defects.

ISE 2.1 added this feature -- SNMP Traps To Monitor Cisco ISE Processes

Our PM and TME owners on ISE alarms are taking a look at all George's asks.