Cisco ISE Logging Mechanism

Cisco ISE provides a logging mechanism that is used for auditing, fault management, and troubleshooting. The logging mechanism helps you to identify fault conditions in deployed services and troubleshoot issues efficiently. It also produces logging output from the monitoring and troubleshooting primary node in a consistent fashion.

You can configure a Cisco ISE node to collect the logs in the local systems using a virtual loopback address. To collect logs externally, you configure external syslog servers, which are called targets. Logs are classified into various predefined categories. You can customize logging output by editing the categories with respect to their targets, severity level, and so on.

As a best practice, do not configure network devices to send syslogs to a Cisco ISE Monitoring and Troubleshooting (MnT) node as this could result in the loss of some Network Access Device (NAD) syslogs, and overloads the MnT servers resulting in loading issues. If NAD Syslogs are configured to be sent directly to MnT, session management functionality would break. NAD syslogs can be directed to external syslog servers for troubleshooting but should not be directed to MnT.


Note


If the Monitoring node is configured as the syslog server for a network device, ensure that the logging source sends the correct network access server (NAS) IP address in the following format:

<message_number>sequence_number: NAS_IP_address: timestamp: syslog_type: <message_text>

Otherwise, this might impact functionalities that depend on the NAS IP address.


Configure Syslog Purge Settings

Use this process to set local log-storage periods and to delete local logs after a certain period of time.

Procedure


Step 1

Choose Administration > System > Logging > Local Log Settings.

Step 2

In the Local Log Storage Period field, enter the maximum number of days to keep the log entries in the configuration source.

Logs may be deleted earlier than the configured Local Log Storage Period if the size of the localStore folder reaches 97 GB.

Step 3

Click Delete Logs Now to delete the existing log files at any time before the expiration of the storage period.

Step 4

Click Save.


Cisco ISE System Logs

In Cisco ISE, system logs are collected at locations called logging targets. Targets refer to the IP addresses of the servers that collect and store logs. You can generate and store logs locally, or you can use the FTP facility to transfer them to an external server. Cisco ISE has the following default targets, which are dynamically configured in the loopback addresses of the local system:

  • LogCollector—Default syslog target for the Log Collector.

  • ProfilerRadiusProbe—Default syslog target for the Profiler Radius Probe.

By default, AAA Diagnostics subcategories and System Diagnostics subcategories logging targets are disabled during a fresh Cisco ISE installation or an upgrade to reduce the disk space. You can configure logging targets manually for these subcategories but local logging for these subcategories are always enabled.

You can use the default logging targets that are configured locally at the end of the Cisco ISE installation or you can create external targets to store the logs.


Note


If a syslog server is configured in a distributed deployment, syslog messages are sent directly from the authenticating PSNs to the syslog server and not from the MnT node.


Configure Remote Syslog Collection Locations

You can use the web interface to create remote syslog server targets to which system log messages are sent. Log messages are sent to the remote syslog server targets in accordance with the syslog protocol standard (see RFC-3164). The syslog protocol is an unsecure UDP.

A message is generated when an event occurs. An event may be one that displays a status, such as a message displayed when exiting a program, or an alarm. There are different types of event messages generated from multiple facilities such as the kernel, mail, user level, and so on. An event message is associated with a severity level, which allows an administrator to filter the messages and prioritize it. Numerical codes are assigned to the facility and the severity level. A syslog server is an event message collector and collects event messages from these facilities. The administrator can select the event message collector to which messages will be forwarded based on their severity level.

The UDP syslog (log collector) is the default remote logging target. When you disable this logging target, it no longer functions as a log collector and is removed from the Logging Categories window. When you enable this logging target, it becomes a log collector in the Logging Categories window.


Note


Any changes to the default remote logging target SecureSyslogCollector results in the restart of the Cisco ISE Monitoring & Troubleshooting Log Processor service.


Procedure


Step 1

Choose Administration > System > Logging > Remote Logging Targets.

Step 2

Click Add.

Step 3

Enter the required details.

Step 4

Click Save.

Step 5

Go to the Remote Logging Targets page and verify the creation of the new target.

The logging targets can then be mapped to each of the logging categories below. The PSN nodes send the relevant logs to the remote logging targets depending on the services that are enabled on those nodes.

  • AAA Audit

  • AAA Diagnostics

  • Accounting

  • External MDM

  • Passive ID

  • Posture and Client Provisioning Audit

  • Posture and Client Provisioning Diagnostics

  • Profiler

Logs of the following categories are sent by all nodes in the deployment to the logging targets:

  • Administrative and Operational Audit

  • System Diagnostics

  • System Statistics


Cisco ISE Message Codes

A logging category is a bundle of message codes that describe a function, a flow, or a use case. In Cisco ISE, each log is associated with a message code that is bundled with the logging categories according to the log message content. Logging categories help describe the content of the messages that they contain.

Logging categories promote logging configuration. Each category has a name, target, and severity level that you can set, as per your application requirement.

Cisco ISE provides predefined logging categories for services, such as Posture, Profiler, Guest, AAA (authentication, authorization, and accounting), and so on, to which you can assign log targets.

For the logging category Passed Authentications, the option to allow local logging is disabled by default. Enabling local logging for this category will result in high utilization of operational space, and fill prrt-server.log along with the iseLocalStore.log.

If you choose to enable local logging for Passed Authentications, go to Administration > System > Logging > Logging Categories, click Passed Authentications from the category section, and check the check box against Local Logging.

Set Severity Levels for Message Codes

You can set the log severity level and choose logging targets where the logs of selected categories will be stored.

Procedure


Step 1

Choose Administration > System > Logging > Logging Categories.

Step 2

Click the radio button next to the category that you want to edit, and click Edit.

Step 3

Modify the required field values.

Step 4

Click Save.

Step 5

Go to the Logging Categories page and verify the configuration changes that were made to the specific category.


Cisco ISE Message Catalogs

You can use the Message Catalog page to view all possible log messages and the descriptions. Choose Administration > System > Logging > Message Catalog. .

The Log Message Catalog page appears, from which you can view all possible log messages that can appear in your log files. Choose Export to export all the syslog messages in the form of a CSV file.

See Cisco ISE Syslogs for a comprehensive list of the syslog messages sent by Cisco ISE, what they mean, and how they are recorded in local and remote targets.

Debug Logs

Debug logs capture bootstrap, application configuration, runtime, deployment, monitoring, reporting, and public key infrastructure (PKI) information. Critical and warning alarms for the past 30 days and info alarms for the past 7 days are included in the debug logs.

You can configure the debug log severity level for individual components.

You can use the Reset to Default option for a node or component to reset the log level back to factory-shipped default values.

You can store the debug logs in the local server.


Note


Debug log configuration is not saved when a system is restored from a backup or upgraded.


View Logging Components for a Node

Procedure


Step 1

Choose Administration > System > Logging > Debug Log Configuration.

Step 2

Select the node for which you want to view the logging components, and then click Edit.

The Debug Level Configuration page appears. You can view the following details:

  • List of logging components based on the services that are running on the selected node

  • Description for each component

  • Current log level that is set for the individual components


Configure Debug Log Severity Level

You can configure the severity levels for the debug logs.

Procedure


Step 1

Choose Administration > System > Logging > Debug Log Configuration.

Step 2

Select the node, and then click Edit.

The Debug Log Configuration page displays a list of components based on the services that are running in the selected node and the current log level that is set for the individual components.

You can use the Reset to Default option for a node or component to reset the log level back to factory-shipped default values.

Step 3

Select the component for which you want to configure the log severity level, and then click Edit. Choose the desired log severity level from the Log Level drop-down list, and click Save.

Note

 

Changing the log severity level of the runtime-AAA component changes the log level of its subcomponent prrt-JNI as well. A change in subcomponent log level does not affect its parent component.


Endpoint Debug Log Collector

To troubleshoot issues with a specific endpoint, you can download debug logs for that particular endpoint based on its IP address or MAC address. The logs from the various nodes in your deployment specific to that particular endpoint get collected in a single file thus helping you troubleshoot your issue quickly and efficiently. You can run this troubleshooting tool only for one endpoint at a time. The log files are listed in the GUI. You can download the logs for an endpoint from a single node or from all the nodes in your deployment.

Download Debug Logs for a Specific Endpoint

To troubleshoot issues related to a specific endpoint in your network, you can use the Debug Endpoint tool from the Admin portal. Alternatively, you can run this tool from the Authentications page. Right-click the Endpoint ID from the Authentications page and click Endpoint Debug. This tool provides all debug information for all services related to the specific endpoint in a single file.

Before you begin

You need the IP address or MAC address of the endpoint whose debug logs you want to collect.

Procedure


Step 1

Choose Operations > Troubleshoot > Diagnostic Tools > General Tools > Endpoint Debug.

Step 2

Click the MAC Address or IP radio button and enter the MAC or IP address of the endpoint.

Step 3

Check the Automatic disable after n Minutes check box if you want to stop log collection after a specified amount of time. If you check this check box, you must enter a time between 1 and 60 minutes.

The following message appears: "Endpoint Debug degrades the deployment performance. Would you like to continue?"

Step 4

Click Continue to collect the logs.

Step 5

Click Stop when you want to manually stop the log collection.


Collection Filters

You can configure the Collection Filters to suppress the syslog messages being sent to the monitoring and external servers. The suppression can be performed at the Policy Services Node levels based on different attribute types. You can define multiple filters with specific attribute type and a corresponding value.

Before sending the syslog messages to monitoring node or external server, Cisco ISE compares these values with fields in syslog messages to be sent. If any match is found, then the corresponding message is not sent.


Note


If you configure a collection filter (Administration > System > Logging > Collection Filter) for any Attribute and Filter Type; and you have also selected the Disable account after n days of inactivity check box (Administration > Identity Management > User Authentication Settings > Disable Account Policy), your account might be disabled as a result of the syslog messages of successful authentication not being relayed to the monitoring node.


Configure Collection Filters

You can configure multiple collection filters based on various attribute types. It is recommended to limit the number of filters to 20. You can add, edit, or delete a collection filter.

Procedure


Step 1

Choose Administration > System > Logging > Collection Filters.

Step 2

Click Add.

Step 3

Choose the Filter Type from the following list:

  • User Name

  • MAC Address

  • Policy Set Name

  • NAS IP Address

  • Device IP Address

Step 4

Enter the corresponding Value for the filter type you have selected.

Step 5

Choose the Result from the drop-down list. The result can be All, Passed, or Failed.

Step 6

Click Submit.


Event Suppression Bypass Filter

Cisco ISE allows you to set filters to suppress some syslog messages from being sent to the Monitoring node and other external servers using the Collection Filters. At times, you need access to these suppressed log messages. Cisco ISE now provides you an option to bypass the event suppression based on a particular attribute such as username for a configurable amount of time. The default is 50 minutes, but you can configure the duration from 5 minutes to 480 minutes (8 hours). After you configure the event suppression bypass, it takes effect immediately. If the duration that you have set elapses, then the bypass suppression filter expires.

You can configure a suppression bypass filter from the Collection Filters page in the Cisco ISE user interface. Using this feature, you can now view all the logs for a particular identity (user) and troubleshoot issues for that identity in real time.

You can enable or disable a filter. If the duration that you have configured in a bypass event filter elapses, the filter is disabled automatically until you enable it again. Cisco ISE captures these configuration changes in the Change Configuration Audit Report. This report provides information on who configured an event suppression or a bypass suppression and the duration of time for which the event was suppressed or the suppression bypassed.