Cisco ISE monitoring Logs

Similar Messages

• Cisco ISE Monitoring node backup size

  Hello All,
  We have a HA pair of ISE servers that have scheduled backups configured for the Admin persona (currently full weekly backup) and monitoring which is full weekly but with the addtional incremental daily backups. I've not seen any issue with the full weekly backup of the admin node however the monitor one provides unusual results in terms of file size between weekly and incremental backups.
  Given the fact that we are currently piloting this with very little radius activity i'm curious as to how the daily backups can be bigger in filesize than the weekly?
  The ISE is a ISE-3315-K9 running 1.1.3.124 and below are some examples
  -rw-r--r-- 1 tsmbackup tsmbackup 502960384 Apr 21 07:08 mntincr_1_<removed>.tar.gpg (Incremental backup)
  -rw-r--r-- 1 tsmbackup tsmbackup 459348307 Apr 21 01:04 mntdbfull_<removed>.tar.gpg (Full backup)
  Thanks in advance for any suggestions.
  M

  Hi,
  This could possibly due to ‘Data Purging’. When a purge operation triggers, if the actual used database disk space is greater than the configured threshold, the purge operation removes all data from the Monitoring database tables prior to the data retention window.
  Following link might help in your case,
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp1074687

• Guest Activity on Cisco ISE

  Is it possible to monitor the web pages visited for a guest using cisco ISE?                  

  Hi Gino,
  Yes, you can use the Guest Activity option. The Guest Activity report provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.
  This report is available at: Operations > Reports > Endpoints and Users > Guest Activity.
  To use this report you must first:
  •Enable the passed authentications logging category. Choose Administration > Logging > Logging Categories and select Passed authentications.
  •Enable these options on the firewall used for guest traffic:
  –Inspect HTTP traffic and send data to Cisco ISE Monitoring node. Cisco ISE only requires the the IP address and accessed URL for the Guest Activity report so, if possible, limit the data to include just this information.
  –Send syslogs to Cisco ISE Monitoring node
  Please check the below link for further information,
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_guest_pol.html#wp1056645

• Cisco ISE Deployment suggestion required

  Require Assistance on Cisco ISE Deployment for below scenario
  -- We have Three Cisco ISE Appliances and Client has taken Advance Subscription License for 500 users
  -- Client has DC & DR and needs to deploy the Cisco ISE in one Main Office which connects to DC & DR on MPLS Links
  -- Client suggestion was to deploy one ISE node ( Admin + M&T + Policy Server ) in DC and its Standby Secondary in DR
       and only deploy Policy Server in Main Office.
       Idea behind the design is that ,
       1) If DC fails , Cisco ISE related logs will get generated on DR and any Cisco ISE related request will be taken care by Local Policy Server in Main Office .
        2) If Local Policy Server Fails , then ISE node in DC will act as Secondary backup and DR will act Teritary Backup
        below is view
                                       DC
                          Primary Node with Role
                     [Admin , M&T , Policy Server]
                                                                                                               Main Remote Offic
                                                                                                                Cisco ISE Node ( Only Policy Server) -----------> Network Devices
                                 DR
                         Secondary   Node with Role
                     [Admin , M&T , Policy Server]
  Please let me know is it possible

  Yes, The scenario is quite achievable also please  review the below link for assistance on deployment of ISE.
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_50_ise_deployment_tg.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf

• Cisco ISE Dashboard empty

  Dear all,
  This empty dashboard has occurred not within period of two month in which admin node portal just went empty.
  TAC was called the first time and restart the services everything work fine. But I am curious knowing under what circumstances can this happen when without notice Primary Admin node Dashboard going blank.
  Any useful help would be appreciated.
  Regards,
  Adeola

  Cisco ISE Monitoring Dashlets Not Visible with Internet Explorer 8
  Symptoms or Issue
  Administrator sees one or more “There is a problem with this website's security certificate.” messages after clicking the dashlets in the Cisco ISE monitoring portal.
  Conditions
  This issue is specific to Internet Explorer 8. (This issue has not been observed when using Mozilla Firefox.)
  Possible Causes
  The security certificate for the Internet Explorer 8 browser connection is invalid or expired.
  Resolution
  Use Internet Explorer 8 to reimport a valid security certificate to view the dashlets appropriately.

• Cisco ISE 1.2 monitoring and Reporting

  Hi Ali
  We're trying to determine how many addtional Base licenses we have to purchase in order to be compliant in our Cisco ISE 1.2 platforms (already have 1500 CISE 1.2  Base licenses in production).
  Is there any means to monitoring (e.g SNMP polling) and get scheduled reports showing the numbers of used licenses for a period ?
  looking forward to heard you back

• Cisco ISE log configuration commands enetered on routers

  Hello,
  I am trying to migrate from Cisco ACS to ISE.
  I want to log configuration commands entered on routers.
  I have configured the routers to send accounting radius to ISE but ISE sees the messages as:
  "22003  Missing attribute for authentication
  11014  RADIUS packet contains invalid attribute(s)"
  Can I configure ISE to receive radius accounting messages ?
  Is there another way to configure ISE to log configuration commands ?
  Another way would be to send syslog messages using the archive configuration on routers, but I cannot find the syslog mesages on ISE.
  Regards,
  Bogdan

  You should post your question on the AAA forum
  https://supportforums.cisco.com/community/netpro/security/aaa
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• CIsco ISE - HP Openview monitoring.

  Hi guys,
  I have a doubt about monitoring Cisco ISE services in the network.
  We can send some alarms notifications to a multiple e-mails, but my doubt is if I can monitoring ISE services with a network monitoring software like HP Open View.
  I didn't find any documentation about it yet.
  Someone knows if I can do this?

  Hi Tarik, How are you?
  The doubt is.... my customer have ise in vmware and he need monitoring availability for cisco ISE. The question is: How can I do that? I did found any document informing if I can send snmp traps or something like that to a Monitoring Server.
  About "link down" and "link Up" he can monitoring the ESX Vmware appliance right?
   There are something that I can do with Cisco ISE. I need to pass a answer to my client if  the Cisco ISE can support this kind of configuration. 
  Thanks for your help.

• Monitoring Cisco ISE - Smart Care

  Dear,
  I have a communication problem between ISE and Cisco Smart Care. I configure the community and the ip of the server but the SmartCare ISE displays the following message  ¨ Device Type not Found¨.
  I wonder if the Smart Care has the ability to withstand use for monitoring or if someone  did this through SNMP configuration without problems.
  Cisco ISE  : 1.2
  Smart Care : 1.14.15
  Bestregards

  Hi,
  This could possibly due to ‘Data Purging’. When a purge operation triggers, if the actual used database disk space is greater than the configured threshold, the purge operation removes all data from the Monitoring database tables prior to the data retention window.
  Following link might help in your case,
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp1074687

• Cisco ISE and external syslog server

  Hi Security Experts,
  We are starting with deploying cisco ISE (Identity Services Engine) in our network. We have allocated 250GB space for (Admin+Monitor) ISE node.
  I want to know if we can send the logs from monitoring node to external syslog server after a defined time interval.
  For example, logs which are more than 10 days old should be sent to external syslog server. So basically our monitoring node will have logs which are at the max 9 days old. Is it possible? Could you point me to some doc which explains configuration of the same?
  Thanks,
  Kashish

  No this isnt possible via syslog. What you are looking for is database purging, so that the monitoring database is purged after a specific time interval. Here is a guide that will help shed some light on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_mnt.html#wp1054328
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE syslog

  Hello,
  From what I understand Cisco ISE has LogCollector for SysLog.
  I have configured a switch to send syslog:
  logging monitor informational
  logging origin-id ip
  logging source-interface <interface_id >
  logging host <syslog_server_IP_address_x > transport udp port 20514
  ,but I am unable to find syslog messages generated by switch.
  Can I view syslog messages in ISE ? , or are there just for ISE to use in the background ?
  Regards,
  Bogdan

  You should post your question on the AAA forum
  https://supportforums.cisco.com/community/netpro/security/aaa
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Radius Health Check - Cisco ISE

  I have one Cisco ISE setup with AD authentication. I want to configure radius helth check how it can be confiured on switches.
  Best Regards,          

  For example if we have too many authentications per second, more than what the PSN Specifications are designed for. In such cases we've to distribute the radius load to other PSN’s. You can also run Catalog report to draw a graph of Radius latency per PSN instance under Operations>Catalog>Server Health Summary> Last 7 days> PSN Hostname.
  This will only give you a trend of radius latency but not the reasons why. You need to go through logs of the concerned PSN to find out whats going on the PSN. Certainly Radius latency greater than 3 Seconds is concerning. In such scenarios we have to download the support bundle and analyse the logs.
  Cisco ISE Dashboard Monitoring
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mnt.html#wp1226014
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ISE & NAC Agent in a Vmware View VDI Environment

  Hi,
  Anyone deployed Cisco ISE NAC agent on a vmware view virtual desktop environment (VDI)?

  There are no known issues regarding VMWare view that would cause this.
  For AV see -> http://www.novell.com/support/kb/doc.php?id=7007545
  I find ProcMon for Sysinternals useful to see if other prcesses such as
  AV are hitting those files unexpectedly. A few times I have seen AV
  Exclusions not quite working as expected until tweaked.
  The ZMD-Messages.log may show if the agent is doing something....
  On 9/30/2014 9:36 PM, harrymsg wrote:
  >
  > We have been running 11.2.4 in our View VDI environment and overall been
  > very successful. We just rolled Win 7 and are seeing approx. 10% of the
  > VMs with the zenworkswindowsservice.exe running steadily around 50% for
  > hours. Any thoughts? One thing I just set to try was excluding that
  > from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.
  >
  >
  Going to Brainshare 2014?
  http://www.brainshare.com
  Use Registration Code "nvlcwilson" for $300 off!
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Cisco ISE trying to posture a device that should not be able to be postured

  Overview:
  Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
  Mobile device authorisation policy configured:
  Problem:
  A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
  Troubleshooting:
  I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
  I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
  Have any of you guys experienced this before?

  Hi,
  I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
  I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE 1.2 Patch 6 -- 8 Update failed

  Hi all,
  I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
  Important notice : I though that this error could be an unlucky try but i've tested the update two time.
  Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
  The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
  On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
  The symptoms after this error are :
  - Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
  - The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
  - GUI Unavailable
  - MAB Auth is working
  - Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
  - Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
  The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
  My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
  Thanks for your help.

  This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
  2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
  2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
  2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
  2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
  pl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
  8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
  2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
  2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.