Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
252
Views
0
Helpful
5
Replies

Help Needed: Create Real-Time Change Monitoring Dashboard in Cisco ISE

lijosamuel
Level 1
Level 1

‎07-04-2025 08:45 AM

I’m looking to create a dashboard within Cisco ISE or Cisco DNA Center that provides a real-time view of recent configuration activities. The goal is to capture and display changes made within the last 5 minutes.

Requirements:

Who performed the change (user identity)

Which device was changed (e.g., switch, router)

What changes were made (summary of configuration or command)

Timestamp of when the change occurred


Purpose:

To use the dashboard as an audit tool for tracking near real-time administrative or configuration changes across the network.

Request:
I’d appreciate any guidance, best practices, or examples on implementing this in Cisco ISE or DNAC. Information on APIs, logs, or custom dashboard capabilities would be especially helpful.

0 Helpful
5 Replies 5

Torbjørn
VIP
VIP

‎07-04-2025 10:54 AM - edited ‎07-04-2025 10:55 AM

If you need minute-by-minute resolution for this you will have to pull this from tacacs live logs & authorization/accounting. You can view this directly under Operations > Tacacs > Live logs, or you can pull the data from the MNT API: https://community.cisco.com/t5/security-knowledge-base/ise-monitoring-api-examples/ta-p/4800437#U4800437 https://developer.cisco.com/docs/identity-services-engine/3.0/introduction-to-monitoring-rest-apis/ 

EDIT: If you are sending logs to an external log system you can also probably use that system to make a dashboard for this.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

lijosamuel
Level 1
Level 1
In response to Torbjørn

‎07-04-2025 07:11 PM

Can use Operations > System 360 >  Settings in the Cisco ISE interface.by using Elastic relies on Log Analytics for data processing and visualization... Can you help with this log analytics with elastic..

0 Helpful

lijosamuel
Level 1
Level 1

‎07-05-2025 07:54 PM - edited ‎07-05-2025 08:05 PM

 

I’m working on implementing a real-time configuration change tracking dashboard using Cisco ISE (Operations > System 360 > Settings) or Cisco DNA Center. The goal is to visualize configuration changes made within the last 5 minutes for audit purposes.

Key Requirements:

User Identity: Who performed the change

Device Details: Which network device was modified (e.g., switch, router)

Change Summary: What configuration/command was applied

Timestamp: When the change occurred

We are exploring integration with Elastic (ELK stack), which relies on Log Analytics for data processing and visualization. Since Elastic offers options for tables and visual content creation, we would like to understand:

What metrics, logs, or APIs are available from Cisco ISE or DNAC to support this use case?

 

Are there any best practices or reference examples for integrating Elastic with Cisco ISE/DNAC for real-time monitoring?

Can the native logging and telemetry features in ISE or DNAC be forwarded or transformed to work effectively with Elastic?

Any suggestions, architectural insights, or documentation.

0 Helpful

bigevilbeard
VIP
VIP
In response to lijosamuel

‎07-07-2025 02:33 AM

As far as i know, there is no webbook for ISE, and using the API here might be too intense for amount of data you want pull on the frequency, so you can use a push method from ISE, you can use the syslog to push all these actions from ISE into data to Logstash, as you mentioned you are using ELK here or you could push directly to elasticsearch. Cat Centre/DNAC you can use the API or webhook approach, there isnts a config change API, so you would need to use several APIs to get the necessary information needed here, so would lean more into webhooks which would provide a good real time (or close to) notifications, pushing the event to your receiver as soon as it happens, eliminating the need for constant polling with APIs. You could still use the API for historical information tho.

I would probley take a hybrid approach here. 

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io
0 Helpful

Torbjørn
VIP
VIP
In response to bigevilbeard

‎07-07-2025 04:27 AM

I would use syslog as @bigevilbeard mentioned. I don't remember enough of how ELK configuration works to advice how you should do it, but the procedure for syslog configuration on ISE can be found here: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222223-configure-external-syslog-server-on-ise.html 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful
Customers Also Viewed These Support Documents