cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1714
Views
25
Helpful
3
Replies

Syslog over ISE Messaging

Johannes Luther
Enthusiast
Enthusiast

Hi ISE professionals,

beginning with ISE 2.6 P1, Syslog over ISE Messaging is enabled by default:

Spoiler
Cisco ISE 2.6 offers MnT WAN Survivability for UDP syslog collection. System logs are recorded using ISE Messaging Services. Remote Logging Targets uses the port TCP 8671 and Secure Advanced Message Queuing Protocol (AMQPs) for sending syslog to MnT.

So from my understanding, all nodes send the syslogs to the MNT over TCP 8671.

However, the default logging target configuration using port 20514 (udp/syslog) is still enabled on a fresh new 2.7 or 3.0 install. Isn't this redundant and a PSN sends the same message over AMQP and traditional syslog?

Doesn't it make sense to disable to default log targets after AMQP is enabled?

1 Accepted Solution

Accepted Solutions

Hey Arne,

thanks for the reply. We're currently upgrading our 2.4 deployment to 3.0. After this is done, I'll double check that.

However, I hoped that there is some generic guidance or that there is some kind of recommendation by Cisco.

 

Guess I'll do the hard way and open a TAC case.

View solution in original post

3 Replies 3

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

Great question - one way would be to run a tcpdump between PSN and MNT to see if the PSN is sending UDP syslogs to the MNT. If so, then one might be tempted to disable the UDP SYSLOG and see if the logging still works (i.e. via the AMQP).

 

All research to be conduction in a lab environment of course

Hey Arne,

thanks for the reply. We're currently upgrading our 2.4 deployment to 3.0. After this is done, I'll double check that.

However, I hoped that there is some generic guidance or that there is some kind of recommendation by Cisco.

 

Guess I'll do the hard way and open a TAC case.

Johannes Luther
Enthusiast
Enthusiast

So, I finally did the capture.

If Syslog over ISE Messaging is enabled there is no UDP/20514 traffic to the MNT nodes, although the default logging target are still enabled using UDP/20514 towards the PSN nodes.

=> Somehow UDP clear-text logging is magically disabled (althogh the configuration is still there)

 

If Syslog over ISE Messaging is disabled there is UDP/20514 traffic to the MNT nodes as expected.

Note: There's still TCP/8671 traffic, because of the Lightweight Session Directory feature, which uses the same message queue service.

 

So everything works as expected. However a hint in the UI would be nice in the logging configuration.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: