Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1744
Views
0
Helpful
1
Replies

ISE logging Explanation

Go to solution
jogorham
Level 1
Level 1

‎08-31-2017 08:41 AM

I am looking for a document that will explains the following.

  • What activities are covered by the “Accounting” and “Administrative and Operational Audit” logging categories?
  • Which of the events logs the changes to ISE profiling policies, registered MAC addresses (MAB), dACLs, SGTs?
  • Which logs account for the creation of new local accounts?  The modification of access rights for accounts?
  • Which log identifies when an ISE log is “cleared”?
  • Can the ISE logs distinguish between actions performed by human accounts versus system accounts?
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎08-31-2017 09:41 AM

Many generic items so assume you are responding to RFP or other tender. 

Recommend start here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011011.html#ID1116

Many reports available to track changes and any relevant event under Operations > Reports > Audit

Auth events will track the assignment of dACL or SGT.  MAB is an auth event, not a config event.  Not all config changes are detailed.  When config changed, you may trigger config audit event against that admin, but may not spell out the exact detail of every change.  Debug logs can track minute changes system, but not common or recommended to keep those enabled.  

Log purging:

Cisco Identity Services Engine Administrator Guide, Release 2.3  - Monitoring and Troubleshooting [Cisco Identity Servic…

60198  MnT purge event occurred

Not clear on ask of human vs system accounts.  The creds presented will represent identity.  In some cases the access method may help dictate such as API vs UI.

Craig

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎08-31-2017 09:41 AM

Many generic items so assume you are responding to RFP or other tender. 

Recommend start here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_011011.html#ID1116

Many reports available to track changes and any relevant event under Operations > Reports > Audit

Auth events will track the assignment of dACL or SGT.  MAB is an auth event, not a config event.  Not all config changes are detailed.  When config changed, you may trigger config audit event against that admin, but may not spell out the exact detail of every change.  Debug logs can track minute changes system, but not common or recommended to keep those enabled.  

Log purging:

Cisco Identity Services Engine Administrator Guide, Release 2.3  - Monitoring and Troubleshooting [Cisco Identity Servic…

60198  MnT purge event occurred

Not clear on ask of human vs system accounts.  The creds presented will represent identity.  In some cases the access method may help dictate such as API vs UI.

Craig

0 Helpful
Customers Also Viewed These Support Documents