Cisco ISE Logging Mechanism
Cisco ISE provides a logging mechanism that is used for auditing, fault management, and troubleshooting. The logging mechanism helps you to identify fault conditions in deployed services and troubleshoot issues efficiently. It also produces logging output from the monitoring and troubleshooting primary node in a consistent fashion.
You can configure a Cisco ISE node to collect the logs in the local systems using a virtual loopback address. To collect logs externally, you configure external syslog servers, which are called targets. Logs are classified into various predefined categories. You can customize logging output by editing the categories with respect to their targets, severity level, and so on.
As a best practice, do not configure network devices to send syslogs to a Cisco ISE Monitoring and Troubleshooting (MnT) node as this could result in the loss of some Network Access Device (NAD) syslogs, and overloads the MnT servers resulting in loading issues.
In Cisco ISE Release 2.6 Patch 2 and above, the Process Down alarm is no longer triggered when ISE Messaging Service fails on a node. When ISE Messaging Service fails on a node, all the syslogs and the Process Down alarm will be lost until the messaging service is brought back up on that node.
In this case, an administrator must look for the Queue Link Error alarm that will be listed in the Alarms dashlet on the Cisco ISE Home window. Click on the alarm, and a new window will open with a Suggested Actions section. Follow these instructions to resolve the issue.
If the Monitoring node is configured as the syslog server for a network device, ensure that the logging source sends the correct network access server (NAS) IP address in the following format:
<message_number>sequence_number: NAS_IP_address: timestamp: syslog_type: <message_text>
Otherwise, this might impact functionalities that depend on the NAS IP address.
Configure Syslog Purge Settings
Use this process to set local log-storage periods and to delete local logs after a certain period of time.
In the Local Log Storage Period field, enter the maximum number of days to keep the log entries in the configuration source.
Logs may be deleted earlier than the configured Local Log Storage Period if the size of the localStore folder reaches 97 GB.
Click Delete Logs Now to delete the existing log files at any time before the expiration of the storage period.