01-03-2018 12:47 AM
Hi All
In my ISE setup, I have two towers, tower A & tower B. Tower A has Admin01,MNT01, PSN01, tower B has only PSN02. TowerA & tower B are connected using WAN tunnel.One set of network-devices uses PSN01 for user authentication, and different second of network-devices uses PSN02 for user authentication.
I could see the authentication logs from PSN01 in the Admin node, but I couldn't see the authentication logs from PSN02 in the Admin node. On further inspection I could see "Administrator>Logging> Remote logging Targets>TCPLogCollector" was disabled. When I enabled the TCPlog collection pointing to MNT01, I started getting the logs from PSN02.
Can someone explain how this resolved my issue
I can also see 3 log collector, TCP syslog, secure syslog & log collector. What is the difference in the working of these
Regards
Nikhil
Solved! Go to Solution.
01-06-2018 02:27 AM
On 1, the primary M&T adds LogCollector, SecureSyslogCollector, and TCPLogCollector (disabled); the secondary M&T adds LogCollector2 and SecureSyslogCollector2.
On 2, the targets for M&T are added automatically as shown in (1).
On 3, this depends on which targets are active and configured in Logging Categories to receive the events. If a M&T server completely unreachable to an ISE node in the deployment, then events from that ISE node will not be recorded by the unreachable M&T server. TCP and Secure syslog collectors each has a buffer to help delivery event logs if the outage is short.
Back to your original issue in not seeing auth events from a secondary ISE node, this seems an issue that best to be investigated with the help of Cisco TAC. You might want to try wire captures to ensure the secondary ISE node is sending the default UDP syslog packets and the primary M&T is receiving it.
01-03-2018 02:49 AM
LogCollector and TCPLogcollector do the same think apart from the former using UDP and the latter using TCP. Are you perhaps blocking UDP port 20514 between your PSN02 and MNT01?
01-03-2018 03:13 AM
A reference to get a better understanding of the logging collectors
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1053252
01-03-2018 07:59 PM
Thank you for the replies, I am looking for some more details
01-06-2018 02:27 AM
On 1, the primary M&T adds LogCollector, SecureSyslogCollector, and TCPLogCollector (disabled); the secondary M&T adds LogCollector2 and SecureSyslogCollector2.
On 2, the targets for M&T are added automatically as shown in (1).
On 3, this depends on which targets are active and configured in Logging Categories to receive the events. If a M&T server completely unreachable to an ISE node in the deployment, then events from that ISE node will not be recorded by the unreachable M&T server. TCP and Secure syslog collectors each has a buffer to help delivery event logs if the outage is short.
Back to your original issue in not seeing auth events from a secondary ISE node, this seems an issue that best to be investigated with the help of Cisco TAC. You might want to try wire captures to ensure the secondary ISE node is sending the default UDP syslog packets and the primary M&T is receiving it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide