We will start test whit this reports for next few days, but I receive from a couple of questions from the customer:

Is it possible to set the firewall sending syslog messages to another repository and then set the ISE to retrieve data from it in order to precess and generate this report?

I saw in the ISE, the logging categories and guest as one of them... Is it here where I should set what is requested?

Where in the ISE file structure is recorded the syslog messages? Is it possible to make a backup for this data and process in the ISE later? ... Imagine an user is catched accessing a forbiden URL, and the manager likes to know if this action had happen before? How long will the ISE kept old data and if it is the case, what should be backed up to kept old data for further analysis?

Regards.

In Cisco ISE, system logs are collected at locations called logging targets. Targets refer to the IP addresses of the servers that collect and store logs.

ISE has the following default targets, which are dynamically configured in the loopback addresses of the local system:

•LogCollector—Default syslog target for the Log Collector.
•ProfilerRadiusProbe—Default syslog target for the Profiler Radius Probe.

You can generate and store logs locally, or you can use the FTP facility to transfer them to an external server.

Please check the following link,

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_logging.html#wp1076091

Thank you for the document. I find it very usable although unfortunately didn't answer my questions:

Is it possible to send syslog messages to another syslog server instead of ISE, and the configure the ISE to get the data from that third device?. I think it is not, but can I be missing a trick or an alternative solution?

Where in the ISE server are the syslog messages recorded and how can I know how much disk space is being used in order to do backups before the disk began to be exhausted?

Regards.