Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4857
Views
12
Helpful
6
Replies

Cisco ISE: Syslog

Go to solution
Rsbell
Level 1
Level 1

‎01-17-2019 07:27 AM - edited ‎03-08-2019 05:04 PM

Is there a way to generate a test message within the ise platform to see if my syslog is setup correctly to my external device. I created a remote logging target pointing to the IP address of my SEIM device where I want specific syslogs sent to: basically have every logging category targeted. Everything is still in testing mode with not much implemented: 5 different switch models all linked together with only one IP phone and camera attached. I don't know if generates a log if for say I try logging in with the wrong password or if a device is plugged into the network and not recognized etc.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-17-2019 07:44 AM

Hi,
When you configured the syslog server, did you go to Logging Categories and specify a target (the target would be the syslog server you defined) for each of the categories you wish to recieve notifications for?

Under categories you do have AAA Audit > Failed attempts, passed attempts etc (along with many more options), so once you define the target you should start receiving the syslog messages.

HTH

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎01-17-2019 07:44 AM

Hi,
When you configured the syslog server, did you go to Logging Categories and specify a target (the target would be the syslog server you defined) for each of the categories you wish to recieve notifications for?

Under categories you do have AAA Audit > Failed attempts, passed attempts etc (along with many more options), so once you define the target you should start receiving the syslog messages.

HTH

Go to solution
Rsbell
Level 1
Level 1
In response to Rob Ingram

‎01-17-2019 10:13 AM

Yes that is what I did, I don't think I missed anything. Logging>Remote Logging Targets:

IP address to host is correct, status enabled, using port 6514, facility code local 6, default self signed server cert (Does this need applied anywhere else? I checked off Ignore Server Certificate Validation for testing).

 

Logging Categories> Enabled my Target for each category.

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Rsbell

‎01-17-2019 10:44 AM

What version of ISE?
Did you set the maximum length as 8192?
Which certificate are you referring to?
Can you take a packet capture on ISE and confirm syslog is or is not being sent to the syslog server?
0 Helpful

Go to solution
Rsbell
Level 1
Level 1
In response to Rob Ingram

‎01-17-2019 11:00 AM

ISE Version: 2.4.0.357

Max length was at 1024 and I just changed it to 8192

Attached is cert I am using.

Also, I wasn't sure if it has anything to do with the product not fully licensed yet and in a test environment until purchasing or if that would not even matter.

 

Yes one of my other team members is looking at this as well and is going to take a pcap.Default Cert.PNGLicense Warning.PNG

0 Helpful

Go to solution
Rsbell
Level 1
Level 1
In response to Rsbell

‎01-17-2019 11:22 AM

A TCP Dump was preformed and the specific IP assigned for the syslog server I setup was not anywhere listed. 

0 Helpful

Go to solution
Rsbell
Level 1
Level 1
In response to Rob Ingram

‎01-25-2019 07:31 AM

Follow up from this: implemented one of our live production network switches into this and began receiving syslog info. Thanks for your help.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card