cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2473
Views
0
Helpful
6
Replies

where can I find a log of failed logon attempt against ISE CLI?

tachyon05
Level 1
Level 1

I would like to find out who or what is failing to logon to ISE CLI.  It could be a security scanner but where can I find info like source IP date/time etc.?

1 Accepted Solution

Accepted Solutions

davidgfriedman
Level 1
Level 1

ok.  I can see now that it rotates often:
ise1-pan-m01/comms# show logg system | i audit.log
3919548 Oct 04 2022 14:34:49 audit/audit.log
8388870 Oct 04 2022 13:28:40 audit/audit.log.1
8388732 Oct 04 2022 11:02:26 audit/audit.log.2
8388809 Oct 04 2022 08:38:46 audit/audit.log.3
8388625 Oct 04 2022 06:13:08 audit/audit.log.4
ise1-pan-m01/comms#


How about going to a linux host, starting "script", ssh'ing into the host, then issuing:
show logg system | i audit.log
Then you could keep it open for a few hours or a day to record the screen output, hit control-c to get out of it whenever you want, exit ssh, exit "script" and then grep whatever you want from the resulting "typescript" log file?

Or option 2:
list the files with show logg system | i audit.log
then for each file swap the filename but only search for failures, ex:
show logg system audit/audit.log | i res=failed
show logg system audit/audit.log.1 | i res=failed
show logg system audit/audit.log.2 | i res=failed
show logg system audit/audit.log.3 | i res=failed
show logg system audit/audit.log.4 | i res=failed

View solution in original post

6 Replies 6

davidgfriedman
Level 1
Level 1

Try:
# show logg system audit/audit.log | inc USER_LOGIN
then look for the lines ending:
exe="/usr/sbin/sshd" hostname=? addr=1.2.3.4  terminal=sshd res=failed'

Thanks.  That does seem to show some CLI logon attempts, but it looks like the aging policy on log is so aggressive that only the log only contains data for the last 5 or 10 minutes.

davidgfriedman
Level 1
Level 1

ok.  I can see now that it rotates often:
ise1-pan-m01/comms# show logg system | i audit.log
3919548 Oct 04 2022 14:34:49 audit/audit.log
8388870 Oct 04 2022 13:28:40 audit/audit.log.1
8388732 Oct 04 2022 11:02:26 audit/audit.log.2
8388809 Oct 04 2022 08:38:46 audit/audit.log.3
8388625 Oct 04 2022 06:13:08 audit/audit.log.4
ise1-pan-m01/comms#


How about going to a linux host, starting "script", ssh'ing into the host, then issuing:
show logg system | i audit.log
Then you could keep it open for a few hours or a day to record the screen output, hit control-c to get out of it whenever you want, exit ssh, exit "script" and then grep whatever you want from the resulting "typescript" log file?

Or option 2:
list the files with show logg system | i audit.log
then for each file swap the filename but only search for failures, ex:
show logg system audit/audit.log | i res=failed
show logg system audit/audit.log.1 | i res=failed
show logg system audit/audit.log.2 | i res=failed
show logg system audit/audit.log.3 | i res=failed
show logg system audit/audit.log.4 | i res=failed

Good to know. Thanks. I have 5 files also, and they span about 90 minutes.

hslai
Cisco Employee
Cisco Employee

ISE also has it in the Administrator Logins report under ISE admin web > menu > Operations > Reports > Reports > Audit.

Hslai, thanks for sharing but it looks like the GUI report only shows successful logons.  As a test, I intentionally attempted to logon to CLI using a wrong password, the GUI report doesn't show those attempts.