10-04-2022 09:06 AM
I would like to find out who or what is failing to logon to ISE CLI. It could be a security scanner but where can I find info like source IP date/time etc.?
Solved! Go to Solution.
10-04-2022 11:40 AM
ok. I can see now that it rotates often:
ise1-pan-m01/comms# show logg system | i audit.log
3919548 Oct 04 2022 14:34:49 audit/audit.log
8388870 Oct 04 2022 13:28:40 audit/audit.log.1
8388732 Oct 04 2022 11:02:26 audit/audit.log.2
8388809 Oct 04 2022 08:38:46 audit/audit.log.3
8388625 Oct 04 2022 06:13:08 audit/audit.log.4
ise1-pan-m01/comms#
How about going to a linux host, starting "script", ssh'ing into the host, then issuing:
show logg system | i audit.log
Then you could keep it open for a few hours or a day to record the screen output, hit control-c to get out of it whenever you want, exit ssh, exit "script" and then grep whatever you want from the resulting "typescript" log file?
Or option 2:
list the files with show logg system | i audit.log
then for each file swap the filename but only search for failures, ex:
show logg system audit/audit.log | i res=failed
show logg system audit/audit.log.1 | i res=failed
show logg system audit/audit.log.2 | i res=failed
show logg system audit/audit.log.3 | i res=failed
show logg system audit/audit.log.4 | i res=failed
10-04-2022 09:39 AM
Try:
# show logg system audit/audit.log | inc USER_LOGIN
then look for the lines ending:
exe="/usr/sbin/sshd" hostname=? addr=1.2.3.4 terminal=sshd res=failed'
10-04-2022 10:28 AM
Thanks. That does seem to show some CLI logon attempts, but it looks like the aging policy on log is so aggressive that only the log only contains data for the last 5 or 10 minutes.
10-04-2022 11:40 AM
ok. I can see now that it rotates often:
ise1-pan-m01/comms# show logg system | i audit.log
3919548 Oct 04 2022 14:34:49 audit/audit.log
8388870 Oct 04 2022 13:28:40 audit/audit.log.1
8388732 Oct 04 2022 11:02:26 audit/audit.log.2
8388809 Oct 04 2022 08:38:46 audit/audit.log.3
8388625 Oct 04 2022 06:13:08 audit/audit.log.4
ise1-pan-m01/comms#
How about going to a linux host, starting "script", ssh'ing into the host, then issuing:
show logg system | i audit.log
Then you could keep it open for a few hours or a day to record the screen output, hit control-c to get out of it whenever you want, exit ssh, exit "script" and then grep whatever you want from the resulting "typescript" log file?
Or option 2:
list the files with show logg system | i audit.log
then for each file swap the filename but only search for failures, ex:
show logg system audit/audit.log | i res=failed
show logg system audit/audit.log.1 | i res=failed
show logg system audit/audit.log.2 | i res=failed
show logg system audit/audit.log.3 | i res=failed
show logg system audit/audit.log.4 | i res=failed
10-04-2022 12:57 PM
Good to know. Thanks. I have 5 files also, and they span about 90 minutes.
10-06-2022 05:01 PM
ISE also has it in the Administrator Logins report under ISE admin web > menu > Operations > Reports > Reports > Audit.
10-07-2022 08:05 AM
Hslai, thanks for sharing but it looks like the GUI report only shows successful logons. As a test, I intentionally attempted to logon to CLI using a wrong password, the GUI report doesn't show those attempts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide