cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2620
Views
0
Helpful
2
Replies

ISE PIC - No Events in Live Session

sampathss
Cisco Employee
Cisco Employee

Hi,

One of my customer is on ISE 2.2 latest patch and using ISE PIC.

The events are being sent from the domain controllers to Syslog NG and Syslog NG servers are added as Syslog Providers.

We are unable to see events in the LIVE Session under ISE PIC.

We verified that using TCPDUMP(under Troubleshooting) that ISE is getting events from the syslog server.

Could it be a parsing issue that's causing it to not display the events in the Live Session?

When pasted the sample syslog output and tested, it shows the proper output. Could it be anything on the customer header?

Thanks

Sampath

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

TAC case?

If never work before, then most likely parsing.

Enable DEBUG on passiveid and collector. Recreate with packet capture and check the debug log files — passiveid-*.log and collector.log.

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

TAC case?

If never work before, then most likely parsing.

Enable DEBUG on passiveid and collector. Recreate with packet capture and check the debug log files — passiveid-*.log and collector.log.

Hsing

No TAC Case yet. Will be opening it shortly.

It was working fine when it was configured as just ISE-PIC without Full ISE.

Now with Full ISE, no events showing up in the live sessions. The syntax of the syslog template and header is correct and they show the output when tested.

No errors in the log. Any other area that I need to look at?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: