Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3363
Views
26
Helpful
3
Replies

Syslog over ISE Messaging

Go to solution
Johannes Luther
Level 4
Level 4

‎11-29-2021 06:01 AM

Hi ISE professionals,

beginning with ISE 2.6 P1, Syslog over ISE Messaging is enabled by default:

Spoiler
Cisco ISE 2.6 offers MnT WAN Survivability for UDP syslog collection. System logs are recorded using ISE Messaging Services. Remote Logging Targets uses the port TCP 8671 and Secure Advanced Message Queuing Protocol (AMQPs) for sending syslog to MnT.

So from my understanding, all nodes send the syslogs to the MNT over TCP 8671.

However, the default logging target configuration using port 20514 (udp/syslog) is still enabled on a fresh new 2.7 or 3.0 install. Isn't this redundant and a PSN sends the same message over AMQP and traditional syslog?

Doesn't it make sense to disable to default log targets after AMQP is enabled?

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Johannes Luther
Level 4
Level 4
In response to Arne Bier

‎12-08-2021 09:55 PM

Hey Arne,

thanks for the reply. We're currently upgrading our 2.4 deployment to 3.0. After this is done, I'll double check that.

However, I hoped that there is some generic guidance or that there is some kind of recommendation by Cisco.

 

Guess I'll do the hard way and open a TAC case.

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎12-08-2021 09:03 PM

Great question - one way would be to run a tcpdump between PSN and MNT to see if the PSN is sending UDP syslogs to the MNT. If so, then one might be tempted to disable the UDP SYSLOG and see if the logging still works (i.e. via the AMQP).

 

All research to be conduction in a lab environment of course

Go to solution
Johannes Luther
Level 4
Level 4
In response to Arne Bier

‎12-08-2021 09:55 PM

Hey Arne,

thanks for the reply. We're currently upgrading our 2.4 deployment to 3.0. After this is done, I'll double check that.

However, I hoped that there is some generic guidance or that there is some kind of recommendation by Cisco.

 

Guess I'll do the hard way and open a TAC case.

Go to solution
Johannes Luther
Level 4
Level 4

‎12-14-2021 06:34 AM

So, I finally did the capture.

If Syslog over ISE Messaging is enabled there is no UDP/20514 traffic to the MNT nodes, although the default logging target are still enabled using UDP/20514 towards the PSN nodes.

=> Somehow UDP clear-text logging is magically disabled (althogh the configuration is still there)

 

If Syslog over ISE Messaging is disabled there is UDP/20514 traffic to the MNT nodes as expected.

Note: There's still TCP/8671 traffic, because of the Lightweight Session Directory feature, which uses the same message queue service.

 

So everything works as expected. However a hint in the UI would be nice in the logging configuration.

Top