Solved: where can I find a log of failed logon attempt against ISE CLI?

tachyon05 · ‎10-04-2022

I would like to find out who or what is failing to logon to ISE CLI. It could be a security scanner but where can I find info like source IP date/time etc.?

davidgfriedman · ‎10-04-2022

ok. I can see now that it rotates often:
ise1-pan-m01/comms# show logg system | i audit.log
3919548 Oct 04 2022 14:34:49 audit/audit.log
8388870 Oct 04 2022 13:28:40 audit/audit.log.1
8388732 Oct 04 2022 11:02:26 audit/audit.log.2
8388809 Oct 04 2022 08:38:46 audit/audit.log.3
8388625 Oct 04 2022 06:13:08 audit/audit.log.4
ise1-pan-m01/comms#

How about going to a linux host, starting "script", ssh'ing into the host, then issuing:
show logg system | i audit.log
Then you could keep it open for a few hours or a day to record the screen output, hit control-c to get out of it whenever you want, exit ssh, exit "script" and then grep whatever you want from the resulting "typescript" log file?

Or option 2:
list the files with show logg system | i audit.log
then for each file swap the filename but only search for failures, ex:
show logg system audit/audit.log | i res=failed
show logg system audit/audit.log.1 | i res=failed
show logg system audit/audit.log.2 | i res=failed
show logg system audit/audit.log.3 | i res=failed
show logg system audit/audit.log.4 | i res=failed

View solution in original post

davidgfriedman · ‎10-04-2022

Try:
# show logg system audit/audit.log | inc USER_LOGIN
then look for the lines ending:
exe="/usr/sbin/sshd" hostname=? addr=1.2.3.4 terminal=sshd res=failed'

tachyon05 · ‎10-04-2022

Thanks. That does seem to show some CLI logon attempts, but it looks like the aging policy on log is so aggressive that only the log only contains data for the last 5 or 10 minutes.

davidgfriedman · ‎10-04-2022

ok. I can see now that it rotates often:
ise1-pan-m01/comms# show logg system | i audit.log
3919548 Oct 04 2022 14:34:49 audit/audit.log
8388870 Oct 04 2022 13:28:40 audit/audit.log.1
8388732 Oct 04 2022 11:02:26 audit/audit.log.2
8388809 Oct 04 2022 08:38:46 audit/audit.log.3
8388625 Oct 04 2022 06:13:08 audit/audit.log.4
ise1-pan-m01/comms#

How about going to a linux host, starting "script", ssh'ing into the host, then issuing:
show logg system | i audit.log
Then you could keep it open for a few hours or a day to record the screen output, hit control-c to get out of it whenever you want, exit ssh, exit "script" and then grep whatever you want from the resulting "typescript" log file?

Or option 2:
list the files with show logg system | i audit.log
then for each file swap the filename but only search for failures, ex:
show logg system audit/audit.log | i res=failed
show logg system audit/audit.log.1 | i res=failed
show logg system audit/audit.log.2 | i res=failed
show logg system audit/audit.log.3 | i res=failed
show logg system audit/audit.log.4 | i res=failed

tachyon05 · ‎10-04-2022

Good to know. Thanks. I have 5 files also, and they span about 90 minutes.

hslai · ‎10-06-2022

ISE also has it in the Administrator Logins report under ISE admin web > menu > Operations > Reports > Reports > Audit.

tachyon05 · ‎10-07-2022

Hslai, thanks for sharing but it looks like the GUI report only shows successful logons. As a test, I intentionally attempted to logon to CLI using a wrong password, the GUI report doesn't show those attempts.