Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3279
Views
5
Helpful
4
Replies

TCP syslog, secure syslog & log collector

Go to solution
nikhilcherian
Level 5
Level 5

‎01-03-2018 12:47 AM

Hi All

     In my ISE setup, I have two towers, tower A & tower B. Tower A has Admin01,MNT01, PSN01, tower B has only PSN02. TowerA & tower B are connected using WAN tunnel.One set of network-devices uses PSN01 for user authentication, and different second of network-devices uses PSN02 for user authentication.

     I could see the authentication logs from PSN01 in the Admin node, but I couldn't see the authentication logs from PSN02 in the Admin node. On further inspection I could see "Administrator>Logging> Remote logging Targets>TCPLogCollector" was disabled. When I enabled the TCPlog collection pointing to MNT01, I started getting the logs from PSN02.

Can someone explain how this resolved my issue

I can also see 3 log collector, TCP syslog, secure syslog & log collector. What is the difference in the working of these

Regards

Nikhil

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to nikhilcherian

‎01-06-2018 02:27 AM

On 1, the primary M&T adds LogCollector, SecureSyslogCollector, and TCPLogCollector (disabled); the secondary M&T adds LogCollector2 and SecureSyslogCollector2.

On 2, the targets for M&T are added automatically as shown in (1).

On 3, this depends on which targets are active and configured in Logging Categories to receive the events. If a M&T server completely unreachable to an ISE node in the deployment, then events from that ISE node will not be recorded by the unreachable M&T server. TCP and Secure syslog collectors each has a buffer to help delivery event logs if the outage is short.

Back to your original issue in not seeing auth events from a secondary ISE node, this seems an issue that best to be investigated with the help of Cisco TAC. You might want to try wire captures to ensure the secondary ISE node is sending the default UDP syslog packets and the primary M&T is receiving it.

View solution in original post

4 Replies 4

Go to solution
M. Wisely
Level 4
Level 4

‎01-03-2018 02:49 AM

LogCollector and TCPLogcollector do the same think apart from the former using UDP and the latter using TCP. Are you perhaps blocking UDP port 20514 between your PSN02 and MNT01?

0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎01-03-2018 03:13 AM

A reference to get a better understanding of the logging collectors

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1053252

0 Helpful

Go to solution
nikhilcherian
Level 5
Level 5
In response to ldanny

‎01-03-2018 07:59 PM

Thank you for the replies, I am looking for some more details

  1. Does the remote log servers get added when I add MNT box
  2. In case I add the same MNT box as TCP, secure  & log collector , will 3 logs be shown for an instance
  3. In case any of the port for TCP, secure  & log collector on the remote MNT server are not reachable, will that stop logs
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to nikhilcherian

‎01-06-2018 02:27 AM

On 1, the primary M&T adds LogCollector, SecureSyslogCollector, and TCPLogCollector (disabled); the secondary M&T adds LogCollector2 and SecureSyslogCollector2.

On 2, the targets for M&T are added automatically as shown in (1).

On 3, this depends on which targets are active and configured in Logging Categories to receive the events. If a M&T server completely unreachable to an ISE node in the deployment, then events from that ISE node will not be recorded by the unreachable M&T server. TCP and Secure syslog collectors each has a buffer to help delivery event logs if the outage is short.

Back to your original issue in not seeing auth events from a secondary ISE node, this seems an issue that best to be investigated with the help of Cisco TAC. You might want to try wire captures to ensure the secondary ISE node is sending the default UDP syslog packets and the primary M&T is receiving it.

Customers Also Viewed These Support Documents