LogLogic Cisco ISE

24
LogLogic Cisco Identity Services Engine Log Configuration Guide Document Release: October 2011 Part Number: LL600081-00ELS090000 This manual supports LogLogic Cisco Identity Services Engine Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

description

Integrating LogLogic SIEM with Cisco ISE NAC solution

Transcript of LogLogic Cisco ISE

Page 1: LogLogic Cisco ISE

LogLogic Cisco Identity Services Engine Log Configuration Guide

Document Release: October 2011

Part Number: LL600081-00ELS090000

This manual supports LogLogic Cisco Identity Services Engine Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

Page 2: LogLogic Cisco ISE

© 2011 LogLogic, Inc.

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.

LogLogic, Inc. 110 Rose Orchard Way, Suite 200

San Jose, CA 95134 Tel: +1 408 215 5900

Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883

www.loglogic.com

Page 3: LogLogic Cisco ISE

Contents

Preface

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Documentation Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 1 – Configuring LogLogic’s Cisco ISE Log Collection

Introduction to Cisco Identity Services Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Specific Prerequisites for Cisco ISE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

General Prerequisites for Cisco ISE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Configuring Cisco Identity Services Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Enabling the LogLogic Appliance to Capture Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Adding a Cisco ISE Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuring the LogLogic Appliance for Log Collection . . . . . . . . . . . . . . . . . . . . . . . . 10

Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2 – How LogLogic Supports Cisco ISE

How LogLogic Captures Cisco Identity Services Engine Log Data . . . . . . . . . . . . . . . . . . 12

LogLogic Real-Time Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 3 – Troubleshooting and FAQ

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Frequently Asked Questions (FAQ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Appendix A – Event Reference

LogLogic Support for Cisco Secure ACS Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Cisco Identity Services Engine Log Configuration Guide 3

Page 4: LogLogic Cisco ISE

4 Cisco Identity Services Engine Log Configuration Guide

Page 5: LogLogic Cisco ISE

Preface

About This Guide The LogLogic® Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Cisco Identity Services Engine enables LogLogic Appliances to capture logs from machines running Cisco Identity Services Engine.

Once the logs are captured and parsed, you can generate reports and create alerts on Cisco Identity Services Engine’s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help.

Technical SupportLogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances.

To reach LogLogic Customer Support:

Telephone: Toll Free—1-800-957-LOGSLocal—1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970

Email: [email protected]

You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide:

Your name, email address, phone number, and fax number

Your company name and company address

Your machine type and release version

A description of the problem and the content of pertinent error messages (if any)

Documentation SupportYour feedback on LogLogic documentation is important to us. Send e-mail to [email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.

In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation.

Cisco Identity Services Engine Log Configuration Guide 5

Page 6: LogLogic Cisco ISE

ConventionsLogLogic documentation uses the following conventions to highlight code and command-line elements:

A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).

A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example:username: systemhome directory: home\app

A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\

Straight brackets signal options in command-line syntax. For example:ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path ...]

6 Cisco Identity Services Engine Log Configuration Guide

Page 7: LogLogic Cisco ISE

Chapter 1 – Configuring LogLogic’s Cisco ISE Log Collection

This chapter describes the configuration steps that enable a LogLogic Appliance to capture Cisco Identity Services Engine (ISE) logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Cisco Identity Services Engine log data.

Introduction to Cisco Identity Services Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Configuring Cisco Identity Services Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Enabling the LogLogic Appliance to Capture Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Introduction to Cisco Identity Services EngineThe LogLogic Appliance supports Cisco ISE Log events. The log subscription policy consists of specific rules enabling access logging used to capture events to a local file where the LogLogic Appliance can collect them. These access events are collected and parsed into the LogLogic report tables for later review.

PrerequisitesPrior to integrating Cisco ISE with the LogLogic Appliance, ensure that you meet the following prerequisites.

Specific Prerequisites for Cisco ISECisco Identity Services Engine device v1.0.2

LogLogic Appliance running Release 5.1 or later with a Log Source Package that includes Cisco ISE support

General Prerequisites for Cisco ISEAdministrative access on the Cicco ISE device

Administrative access on the LogLogic Appliance

Configuring Cisco Identity Services EngineSee page 261 (Chapter 13 - Logging) of the Cisco ISE Administrators Guide for detailed instructions on how to enable logging.

To create Logging Target:

1. From the ISE Administration Interface, choose Administration > System > Logging > Remote Logging Targets

Cisco Identity Services Engine Log Configuration Guide 7

Page 8: LogLogic Cisco ISE

2. Click the Add button

3. Configure the following fields:

a.Name—Enter the name of the new target.

b.Target Type—By default it is set to Syslog. The value of this field cannot be changed.

c.Description—Enter a brief description of the new target.

d.IP Address—Enter the IP address of the destination machine where you want to store the logs.

e.Port—Enter the port number of the destination machine (514 is default for syslog).

f. Facility Code—Select the syslog facility code to be used for logging. Valid options are Local0 through Local7.

g.Maximum Length—Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes.

4. Click Save.

To edit Logging Categories:

1. From the ISE Administration Interface, choose Administration > System > Logging > Logging Categories.

2. Click AAA Audit > Failed Attempts.

3. Highlight the Remote Logging Target created in the previous step; click the Right Arrow to add it to the “Selected” section.

4. Click Save.

5. Repeat for the remaining logging categories.

a.AAA Audit > Failed Attempts

b.AAA Audit > Passed Authentications

c.AAA Diagnostics > Policy Diagnostics

d.Administrative and Operational Audit

Enabling the LogLogic Appliance to Capture DataThe following sections describe how to enable the LogLogic Appliance to capture Cisco ISE log data.

Adding a Cisco ISE Device

The following sections describe how to configure the LogLogic Appliance to capture Cisco ISE logs. Logs sent via syslog will be auto discovered by the LogLogic Appliance. Steps to enable auto- identification are explained in the next section, Configuring the LogLogic Appliance for Log Collection.

With the auto-identification feature, , the LogLogic Appliance captures Cisco ISE log messages in syslog format. As the syslog messages come into the Appliance, they are automatically identified and a new device type is added to the log source device list. Default values are used for certain properties, such as the device name.

If you do not want to utilize the auto-identification feature, you can manually add Cisco ISE as a device to the LogLogic Appliance before you redirect the logs.

8 Cisco Identity Services Engine Log Configuration Guide

Page 9: LogLogic Cisco ISE

To add Cisco ISE as a new device:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Management > Devices. The Device tab appears.

3. Click Add New. The Add Device tab appears.

4. Type in the following information for the device: a.Name—Name of the Cisco ISE device b.Description (optional)—Description of the Cisco ISE device c.Device Type—Select Cisco ISE from the drop-down menu d.Host IP—IP address of the machine hosting the Cisco ISE log data e.Enable—Select the Yes radio button f. Refresh Device Name through DNS Lookups (optional)—Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign.

Figure 1 Manual Addition of a Cisco ISE Device to the LogLogic Appliance

5. Click Add.6. Verify that your new device appears in the Devices tab and that Enable is set to Yes, as

shown in Figure 2 below.

Figure 2 Cisco ISE Device Added to the LogLogic Appliance

Cisco Identity Services Engine Log Configuration Guide 9

Page 10: LogLogic Cisco ISE

Note: LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance.

Configuring the LogLogic Appliance for Log Collection

LogLogic captures Cisco ISE logs using the syslog listener. When auto-identification is enabled on the LogLogic Appliance, the logs are automatically identified as belonging to Cisco ISE and a new device is created by the LogLogic Appliance itself.

Enabling Auto Identification in the LogLogic Appliance:

1. Log into your LogLogic Appliance.

2. From the navigation tree, click Administration > System Settings. The General tab appears.

3. Select Yes for the “Auto-identify Log Sources” option.

Figure 3 Enabling Auto-Identifiction on the LogLogic Appliance

4. Click the Update button.

After enabling Auto-identification, the LogLogic Appliance will auto-identify the Cisco ISE device whenever logs are sent to the Appliance.

10 Cisco Identity Services Engine Log Configuration Guide

Page 11: LogLogic Cisco ISE

Verifying the ConfigurationThe section describes how to verify that the configuration changes made to Cisco Identity Services Engine and the LogLogic Appliance are applied correctly.

To verify the configuration:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Dashboards > Log Source Status.

The Log Source Status tab appears.

3. Locate the IP address for each Cisco ISE device. If the device name (Cisco ISE) appears in the list of devices, then the configuration is correct.

Figure 4 Verify the Cisco ISE Configuration

If the device does not appear in the Log Source Status tab, check the Cisco ISE logs for events that should have sent. If events were detected, but are still not appearing on the LogLogic Appliance, please verify the Cisco ISE configuration and the LogLogic Appliance configuration.

You can also verify that the LogLogic Appliance is properly capturing log data from Cisco ISE device by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 13.

Cisco Identity Services Engine Log Configuration Guide 11

Page 12: LogLogic Cisco ISE

Chapter 2 – How LogLogic Supports Cisco ISE

This chapter describes LogLogic’s support for the Cisco Identity Services Engine. LogLogic enables you to capture event log data to monitor Cisco ISE events.

How LogLogic Captures Cisco Identity Services Engine Log Data . . . . . . . . . . . . . . . . . . 12

LogLogic Real-Time Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

How LogLogic Captures Cisco Identity Services Engine Log DataThe events are generated on the Cisco ISE device and sent over UDP port 514 to the LogLogic Aappliance. The LogLogic Appliance uses automated mechanism to capture Cisco ISE log messages via syslog using conventional UDP port 514.

Figure 5 Cisco Identity Services Engine with LogLogic Components and Processes for File-Based Log Collection

Once the data is captured you can generate reports or create alerts. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help.

Note: The LogLogic Appliance captures all log messages from the Cisco ISE logs, but includes only specific messages for report generation. For more information see, Appendix A – Event Reference.

12 Cisco Identity Services Engine Log Configuration Guide

Page 13: LogLogic Cisco ISE

LogLogic Real-Time ReportsLogLogic provides pre-configured Real-Time Reports for Cisco Identity Services Engine log data.

The following Real-Time Reports are available:

Permission Modification—Add, delete, and modify user permissions activities

User Access—Displays data for all events retrieved from the Cisco Identity Services Engine logs for a specified time interval

User Authentication—Displays locally-stored web information served during a specified time interval

User Last Activity—Displays web information served during a specified time interval

To access LMI 5 Real-Time Reports:

1. In the top navigation manu, click Reports.

2. Click Access Control.

The following Real-Time Reports are available:

Permission Modification

User Access

User Authentication

User Last Activity

3. Click Operational.

The following Real-Time Reports are available:

All Unparsed Events

You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help.

Cisco Identity Services Engine Log Configuration Guide 13

Page 14: LogLogic Cisco ISE

Chapter 3 – Troubleshooting and FAQ

This chapter contains troubleshooting information regarding the configuration and/or use of log collection for Cisco ISE. It also contains an FAQ, providing quick answers to common questions.

Troubleshooting

If Cisco ISE events are not appearing on the LogLogic Appliance...

Make sure the correct IP Address and Ports are configured in the Cisco ISE running configuration.

If events are not displaying on the LogLogic Appliance even after configuring Cisco ISE and Lasso Enterprise correctly...

Cisco ISE sends the logs via UDP in Syslog format to the LogLogic Appliance. Make sure that the UDP port is allowed through the ISE firewall and any firewall in between the ISE device and the LogLogic Appliance.

Frequently Asked Questions (FAQ)

How does the LogLogic Appliance collect logs from Cisco ISE?

The Cisco ISE device sends logs directly to the LogLogic Appliance via Syslog over UDP port 514.

What access permissions are required?

A user with a privilege level of 15 is required to log into the Cisco ISE to make any configuration changes.

How do I configure logging on Cisco ISE?

See, Chapter 1 – Configuring LogLogic’s Cisco ISE Log Collection. Additional information on Cisco logging can be found in the Cisco ISE Administrators Guide in Chapter 13 - Logging.

14 Cisco Identity Services Engine Log Configuration Guide

Page 15: LogLogic Cisco ISE

Appendix A – Event Reference

This appendix lists the LogLogic-supported Cisco ISE events. The LogLogic Cisco ISE event table identifies events which can be analyzed through the LogLogic Agile Reports, as well as a sample log message.

LogLogic Support for Cisco Secure ACS EventsThe following list describes the contents of each of the columns in the table below.

Event ID—This field is used to display the Cisco Secure ACS message type/event.

Agile Reports/Search—Defines if the Cisco Secure ACS event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic’s Real-Time Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.

Title—Description of the Event

Event Category—Not shown. All events belong to the Audit category

Report Mapping—LogLogic-provided reports that the event appears in

Event Type—Type of event such as Success or Failure

Sample Log Message—Sample Cisco Secure ACS log messages will be present in this column. The LogLogic Aappliance can be configured to provide administrators with real-time alerts whenever data integrity and confidentiality is compromised. In addition, LogLogic’s Agile Reports and search capabilities can be used to analyze the captured log data.

Table 1 LogLogic Supported Events for Cisco ISE

Event ID Agile Reports/ Search

Title Report Mapping

Event Type

Sample Log Message

1 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, User Authentication

Failure <181>Aug 12 00:33:05 cisco-ise CISE_Administrative_and_Operational_Audit 0000000035 1 0 2011-08-12 00:33:05.914 +00:00 0000000178 51000 NOTICE Administrator-Login: Administrator authentication failed, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=7, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=73C395B29BB20CC0256854C5DAEA6853, AdminName=ACSAdmin, inLocalMode=false,

2 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, User Authentication

Success <189>Aug 23 16:04:13 cisco-ise CISE_Administrative_and_Operational_Audit 0000000035 1 0 2011-08-23 16:04:13.134 -08:00 0000000043 51001 NOTICE Administrator-Login: Administrator authentication succeeded, ConfigVersionId=4, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=D6AEBA92EFB59383841727517C449B62, AdminName=admin, OperationMessageText=Administrator authentication successful,

Cisco Identity Services Engine Log Configuration Guide 15

Page 16: LogLogic Cisco ISE

3 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, User Authentication

Failure <189>Aug 23 16:04:09 cisco-ise CISE_Administrative_and_Operational_Audit 0000000034 1 0 2011-08-23 16:04:09.070 -08:00 0000000042 51002 NOTICE Administrator-Login: Administrator logged off, ConfigVersionId=4, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=344C9443B73D731B94C0D8DFA03A402B, AdminName=admin, OperationMessageText=User logged out,

4 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, User Authentication

Success <181>Aug 12 00:32:59 cisco-ise CISE_Administrative_and_Operational_Audit 0000000034 1 0 2011-08-12 00:32:59.876 +00:00 0000000161 51003 NOTICE Administrator-Login: Session Timeout, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=7, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=31EE0FCF468DA2EC4CCEE474A68FE280, AdminName=ACSAdmin, inLocalMode=false,

5 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access Failure <181>Aug 23 10:21:00 cisco-ise CISE_Administrative_and_Operational_Audit 0000000091 1 0 2011-08-23 10:20:59.995 +00:00 0000001042 51004 NOTICE Administrator-Login: Rejected administrator session from unauthorized client IP address, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=17, AdminInterface=GUI, AdminIPAddress=10.60.0.114, AdminSession=00AB80D4B9CA4536D694851DDB39722A, AdminName=ACSAdmin, inLocalMode=false,

6 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access Failure <181>Aug 23 10:25:38 cisco-ise CISE_Administrative_and_Operational_Audit 0000000096 1 0 2011-08-23 10:25:38.555 +00:00 0000001089 51005 NOTICE Administrator-Login: Administrator authentication failed. Administrator account is disabled., ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=18, AdminInterface=GUI, AdminIPAddress=10.60.0.114, AdminSession=8E74132DC930F49E6EFC744EC2B5040F, AdminName=tsmith, inLocalMode=false,

7 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, User Authentication

Failure <181>Aug 23 10:27:50 cisco-ise CISE_Administrative_and_Operational_Audit 0000000103 1 0 2011-08-23 10:27:50.977 +00:00 0000001169 51008 NOTICE Administrator-Login: Administrator authentication failed. Account is disabled due to excessive failed authentication attempts., ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=19, AdminInterface=GUI, AdminIPAddress=10.60.0.114, AdminSession=F754E335770722FFB911516B3A55CC2E, AdminName=tsmith, inLocalMode=false,

8 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, Permission Modification

Success <181>Aug 22 18:14:55 cisco-ise CISE_Administrative_and_Operational_Audit 0000000044 1 0 2011-08-22 18:14:55.109 +00:00 0000000338 51100 NOTICE User change password: Password changed successfully, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=13, AdminInterface=RADIUS, AdminIPAddress=10.60.1.240, AdminName=SERVICE, ObjectType=java.lang.String, ObjectName=travis, UserAdminFlag=User, AccountName=travis, AuditPasswordType=Login, IdentityStoreName=Internal Users, OperatorName=travis, inLocalMode=false,

Event ID Agile Reports/ Search

Title Report Mapping

Event Type

Sample Log Message

16 Cisco Identity Services Engine Log Configuration Guide

Page 17: LogLogic Cisco ISE

9 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, Permission Modification

Failure <181>Aug 23 10:09:19 cisco-ise CISE_Administrative_and_Operational_Audit 0000000086 1 0 2011-08-23 10:09:19.317 +00:00 0000001010 51101 NOTICE User change password: Invalid new password. Password is too short., ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=15, AdminInterface=RADIUS, AdminIPAddress=10.60.1.240, AdminName=SERVICE, UserAdminFlag=User, AccountName=travis, AuditPasswordType=Login, IdentityStoreName=Internal Users, OperatorName=travis, inLocalMode=false,

10 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, Permission Modification

Failure <181>Aug 23 10:07:53 cisco-ise CISE_Administrative_and_Operational_Audit 0000000082 1 0 2011-08-23 10:07:53.363 +00:00 0000000983 51102 NOTICE User change password: Invalid new password. Too many repeating characters., ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=15, AdminInterface=RADIUS, AdminIPAddress=10.60.1.240, AdminName=SERVICE, UserAdminFlag=User, AccountName=travis, AuditPasswordType=Login, IdentityStoreName=Internal Users, OperatorName=travis, inLocalMode=false,

11 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, Permission Modification

Failure <181>Aug 23 10:06:41 cisco-ise CISE_Administrative_and_Operational_Audit 0000000078 1 0 2011-08-23 10:06:41.766 +00:00 0000000953 51103 NOTICE User change password: Invalid new password. Missing required character type., ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=15, AdminInterface=RADIUS, AdminIPAddress=10.60.1.240, AdminName=SERVICE, UserAdminFlag=User, AccountName=travis, AuditPasswordType=Login, IdentityStoreName=Internal Users, OperatorName=travis, inLocalMode=false,

12 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, Permission Modification

Failure <181>Aug 23 10:04:41 cisco-ise CISE_Administrative_and_Operational_Audit 0000000070 1 0 2011-08-23 10:04:41.310 +00:00 0000000899 51104 NOTICE User change password: Invalid new password. Contains username., ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=15, AdminInterface=RADIUS, AdminIPAddress=10.60.1.240, AdminName=SERVICE, UserAdminFlag=User, AccountName=travis, AuditPasswordType=Login, IdentityStoreName=Internal Users, OperatorName=travis, inLocalMode=false,

13 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, Permission Modification

Failure <181>Aug 23 10:05:27 cisco-ise CISE_Administrative_and_Operational_Audit 0000000074 1 0 2011-08-23 10:05:27.744 +00:00 0000000926 51105 NOTICE User change password: Invalid new password. Contains reserved word., ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=15, AdminInterface=RADIUS, AdminIPAddress=10.60.1.240, AdminName=SERVICE, UserAdminFlag=User, AccountName=travis, AuditPasswordType=Login, IdentityStoreName=Internal Users, OperatorName=travis, inLocalMode=false,

14 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, User Authentication

Failure <189>Aug 23 16:09:30 cisco-ise CISE_Administrative_and_Operational_Audit 0000000038 1 0 2011-08-23 16:09:30.839 -08:00 0000000046 51020 NOTICE Administrator-Login: Administrator authentication failed. Login username does not exist., ConfigVersionId=7, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminName=asdasoifnsiufb984bnqf34fn, OperationMessageText=This user is not in the system,

Event ID Agile Reports/ Search

Title Report Mapping

Event Type

Sample Log Message

Cisco Identity Services Engine Log Configuration Guide 17

Page 18: LogLogic Cisco ISE

15 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity, User Authentication

Failure <189>Aug 23 16:10:26 cisco-ise CISE_Administrative_and_Operational_Audit 0000000039 1 0 2011-08-23 16:10:26.124 -08:00 0000000047 51021 NOTICE Administrator-Login: Administrator authentication failed. Wrong password., ConfigVersionId=7, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminName=admin, OperationMessageText=Wrong passowrd,

16 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 07:50:16 cisco-ise CISE_Administrative_and_Operational_Audit 0000016672 1 0 2011-08-11 07:50:16.844 +00:00 0000020078 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=12, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=FE1F958C4FB34BE8799BA3EE4C521208, AdminName=ACSAdmin, ConfigChangeData='Account never disabled'='false'\\\,'Password'='********'\\\,'Enabled'='true'\\\,'Name'='Trav'\\\,'Assigned Roles'='SuperAdmin', ObjectType=Administrator Account, ObjectName=Trav, ObjectId=3, inLocalMode=false,

17 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 07:50:51 cisco-ise CISE_Administrative_and_Operational_Audit 0000016673 1 0 2011-08-11 07:50:51.671 +00:00 0000020083 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=13, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=FE1F958C4FB34BE8799BA3EE4C521208, AdminName=ACSAdmin, ConfigChangeData='Account never disabled'='false'\\\,'Password'='********'\\\,'Enabled'='true'\\\,'Name'='Trav-dup'\\\,'Assigned Roles'='SuperAdmin', ObjectType=Administrator Account, ObjectName=Trav-dup, ObjectId=4, inLocalMode=false,

18 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 07:55:49 cisco-ise CISE_Administrative_and_Operational_Audit 0000016682 1 0 2011-08-11 07:55:49.275 +00:00 0000020127 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=17, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=0F3B63EF4FC885D47DCD3ABC9E848E2F, AdminName=ACSAdmin, ConfigChangeData='Name'='New Location'\\\,'Parent'='Location:All Locations', ObjectType=Hierarchy Group, ObjectName=Location:All Locations:New Location, ObjectId=100015, inLocalMode=false,

19 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 23:15:54 cisco-ise CISE_Administrative_and_Operational_Audit 0000000005 1 0 2011-08-11 23:15:54.265 +00:00 0000000055 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=3, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=31EE0FCF468DA2EC4CCEE474A68FE280, AdminName=ACSAdmin, ConfigChangeData='Domain Name'='dev.loglabs.lab'\\\,'Password'='********'\\\,'Username'='smith'\\\,'Enable machine authentication'='true'\\\,'Enable password change'='true'\\\,'Enable Machine Access Restrictions'='false'\\\,'Aging Time'='6'\\\,'Machine authentication name prefix'='/host', ObjectType=Active Directory, ObjectName=AD1, ObjectId=16, inLocalMode=false,

Event ID Agile Reports/ Search

Title Report Mapping

Event Type

Sample Log Message

18 Cisco Identity Services Engine Log Configuration Guide

Page 19: LogLogic Cisco ISE

20 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 23:15:57 cisco-ise CISE_Administrative_and_Operational_Audit 0000000006 1 0 2011-08-11 23:15:57.504 +00:00 0000000056 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=3, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=31EE0FCF468DA2EC4CCEE474A68FE280, AdminName=ACSAdmin, ObjectType=Custom Condition, ObjectName=AD1:ExternalGroups, ObjectId=16, inLocalMode=false,

21 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 23:24:54 cisco-ise CISE_Administrative_and_Operational_Audit 0000000013 1 0 2011-08-11 23:24:54.216 +00:00 0000000088 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=6, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=31EE0FCF468DA2EC4CCEE474A68FE280, AdminName=ACSAdmin, ConfigChangeData='Domain Name'='loglabs.lab'\\\,'Password'='********'\\\,'Username'='administrator'\\\,'Enable machine authentication'='true'\\\,'Enable password change'='true'\\\,'Enable Machine Access Restrictions'='false'\\\,'Aging Time'='6'\\\,'Machine authentication name prefix'='/host', ObjectType=Active Directory, ObjectName=AD1, ObjectId=17, inLocalMode=false,

22 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 23:24:55 cisco-ise CISE_Administrative_and_Operational_Audit 0000000014 1 0 2011-08-11 23:24:55.566 +00:00 0000000089 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=6, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=31EE0FCF468DA2EC4CCEE474A68FE280, AdminName=ACSAdmin, ObjectType=Custom Condition, ObjectName=AD1:ExternalGroups, ObjectId=17, inLocalMode=false,

23 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 12 00:36:32 cisco-ise CISE_Administrative_and_Operational_Audit 0000000038 1 0 2011-08-12 00:36:32.864 +00:00 0000000204 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=8, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=73C395B29BB20CC0256854C5DAEA6853, AdminName=ACSAdmin, ConfigChangeData='Enable Password'='********'\\\,'Password'='********'\\\,'changePassword'='false'\\\,'Enabled'='true'\\\,'Name'='Trav'\\\,'Identity Group'='All Groups', ObjectType=Internal User, ObjectName=Trav, ObjectId=5, inLocalMode=false,

24 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 12 00:38:34 cisco-ise CISE_Administrative_and_Operational_Audit 0000000039 1 0 2011-08-12 00:38:34.946 +00:00 0000000211 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=9, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=73C395B29BB20CC0256854C5DAEA6853, AdminName=ACSAdmin, ConfigChangeData='End'='Sun Aug 12 23:59:00 UTC 2012'\\\,'Start'='Fri Aug 12 00:00:00 UTC 2011'\\\,'Immediately'='false'\\\,'No End Time'='false'\\\,'Name'='Time', ObjectType=Date and Time Condition, ObjectName=Time, ObjectId=100018, inLocalMode=false,

Event ID Agile Reports/ Search

Title Report Mapping

Event Type

Sample Log Message

Cisco Identity Services Engine Log Configuration Guide 19

Page 20: LogLogic Cisco ISE

25 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 12 00:43:02 cisco-ise CISE_Administrative_and_Operational_Audit 0000000042 1 0 2011-08-12 00:43:02.576 +00:00 0000000226 52000 NOTICE Configuration-Changes: Added configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=11, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=73C395B29BB20CC0256854C5DAEA6853, AdminName=ACSAdmin, ConfigChangeData='Name'='LogLabs Radius Server'\\\,'RADIUS'='Enabled'\\\,'RADIUS:Shared Secret'='********'\\\,'RADIUS:Key Wrap'='false'\\\,'TACACS+'='Disabled'\\\,'NDG:Location'='Location:All Locations'\\\,'NDG:Device Type'='Device Type:All Device Types'\\\,'IP Address'='10.60.1.32/32', ObjectType=Network Device, ObjectName=LogLabs Radius Server, ObjectId=1, inLocalMode=false,

26 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 07:50:58 cisco-ise CISE_Administrative_and_Operational_Audit 0000016674 1 0 2011-08-11 07:50:58.420 +00:00 0000020088 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=13, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=FE1F958C4FB34BE8799BA3EE4C521208, AdminName=ACSAdmin, ConfigChangeData='Name'='Trav-dup1', ObjectType=Administrator Account, ObjectName=Trav-dup1, ObjectId=4, inLocalMode=false,

27 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 07:52:06 cisco-ise CISE_Administrative_and_Operational_Audit 0000016679 1 0 2011-08-11 07:52:06.255 +00:00 0000020100 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=14, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=FE1F958C4FB34BE8799BA3EE4C521208, AdminName=ACSAdmin, ConfigChangeData='Minimum Length'='6', ObjectType=Admin Password Complexity, ObjectName=AdminPasswdComplexityName, ObjectId=2, inLocalMode=false,

28 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 07:53:08 cisco-ise CISE_Administrative_and_Operational_Audit 0000016680 1 0 2011-08-11 07:53:08.675 +00:00 0000020106 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=16, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=FE1F958C4FB34BE8799BA3EE4C521208, AdminName=ACSAdmin, ConfigChangeData='Session Idle Timeout'='31', ObjectType=Admin Account Settings, ObjectName=AdminAccountSettingsName, ObjectId=1, inLocalMode=false,

29 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 08:04:43 cisco-ise CISE_Administrative_and_Operational_Audit 0000016687 1 0 2011-08-11 08:04:43.055 +00:00 0000020136 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=17, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=0F3B63EF4FC885D47DCD3ABC9E848E2F, AdminName=ACSAdmin, ConfigChangeData='Selected Remote Syslog Targets'='10.60.0.134'\;'LogCollector', ObjectType=Logging Category, ObjectName=System Statistics, ObjectId=120, inLocalMode=false,

Event ID Agile Reports/ Search

Title Report Mapping

Event Type

Sample Log Message

20 Cisco Identity Services Engine Log Configuration Guide

Page 21: LogLogic Cisco ISE

30 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 23:16:20 cisco-ise CISE_Administrative_and_Operational_Audit 0000000007 1 0 2011-08-11 23:16:20.006 +00:00 0000000062 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=5, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=31EE0FCF468DA2EC4CCEE474A68FE280, AdminName=ACSAdmin, ConfigChangeData=''='', ObjectType=Active Directory, ObjectName=AD1, ObjectId=16, inLocalMode=false,

31 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 12 00:33:31 cisco-ise CISE_Administrative_and_Operational_Audit 0000000037 1 0 2011-08-12 00:33:31.776 +00:00 0000000199 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=8, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=73C395B29BB20CC0256854C5DAEA6853, AdminName=ACSAdmin, ConfigChangeData=''='dev.loglabs.lab/Builtin/Administrators', ObjectType=Active Directory, ObjectName=AD1, ObjectId=17, inLocalMode=false,

32 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 12 00:38:52 cisco-ise CISE_Administrative_and_Operational_Audit 0000000040 1 0 2011-08-12 00:38:52.086 +00:00 0000000216 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=10, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=73C395B29BB20CC0256854C5DAEA6853, AdminName=ACSAdmin, ConfigChangeData='Authorization Standard Policy Configuration'='New/Updated', ObjectType=Access Service, ObjectName=Default Network Access, ObjectId=1900, inLocalMode=false,

33 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 12 00:39:06 cisco-ise CISE_Administrative_and_Operational_Audit 0000000041 1 0 2011-08-12 00:39:06.806 +00:00 0000000221 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=11, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=73C395B29BB20CC0256854C5DAEA6853, AdminName=ACSAdmin, ConfigChangeData='Authorization Standard Policy Configuration'='New/Updated', ObjectType=Access Service, ObjectName=Default Device Admin, ObjectId=1800, inLocalMode=false,

34 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 12 00:59:10 cisco-ise CISE_Administrative_and_Operational_Audit 0000000047 1 0 2011-08-12 00:59:10.286 +00:00 0000000297 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=13, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=73C395B29BB20CC0256854C5DAEA6853, AdminName=ACSAdmin, ConfigChangeData='Identity Policy Configuration'='New/Updated', ObjectType=Access Service, ObjectName=Default Network Access, ObjectId=1900, inLocalMode=false,

Event ID Agile Reports/ Search

Title Report Mapping

Event Type

Sample Log Message

Cisco Identity Services Engine Log Configuration Guide 21

Page 22: LogLogic Cisco ISE

35 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 12 00:59:10 cisco-ise CISE_Administrative_and_Operational_Audit 0000000047 1 0 2011-08-12 00:59:10.286 +00:00 0000000297 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=13, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=73C395B29BB20CC0256854C5DAEA6853, AdminName=ACSAdmin, ConfigChangeData='Identity Policy Configuration'='New/Updated', ObjectType=Access Service, ObjectName=Default Network Access, ObjectId=1900, inLocalMode=false,

36 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 23 10:40:58 cisco-ise CISE_Administrative_and_Operational_Audit 0000000107 1 0 2011-08-23 10:40:58.969 +00:00 0000001198 52001 NOTICE Configuration-Changes: Changed configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=21, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=C10DFFCE8F5779D2F2F6D47F0D8F7EC8, AdminName=ACSAdmin, ConfigChangeData='Description'='test user', ObjectType=Internal User, ObjectName=test, ObjectId=9, inLocalMode=false,

37 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 07:51:49 cisco-ise CISE_Administrative_and_Operational_Audit 0000016678 1 0 2011-08-11 07:51:49.733 +00:00 0000020096 52002 NOTICE Configuration-Changes: Deleted configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=14, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=FE1F958C4FB34BE8799BA3EE4C521208, AdminName=ACSAdmin, ObjectType=Administrator Account, ObjectName=Trav-dup1, ObjectId=4, inLocalMode=false,

38 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 23:23:54 cisco-ise CISE_Administrative_and_Operational_Audit 0000000010 1 0 2011-08-11 23:23:54.216 +00:00 0000000080 52002 NOTICE Configuration-Changes: Deleted configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=5, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=31EE0FCF468DA2EC4CCEE474A68FE280, AdminName=ACSAdmin, ObjectType=Custom Condition, ObjectName=AD1:ExternalGroups, ObjectId=16, inLocalMode=false,

39 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 11 23:23:55 cisco-ise CISE_Administrative_and_Operational_Audit 0000000011 1 0 2011-08-11 23:23:55.546 +00:00 0000000082 52002 NOTICE Configuration-Changes: Deleted configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=6, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=31EE0FCF468DA2EC4CCEE474A68FE280, AdminName=ACSAdmin, ObjectType=Active Directory, ObjectName=AD1, ObjectId=16, inLocalMode=false,

40 CISE_Administrative_and_Operational_Audit

Agile Cisco ISE Administrative and Operational Audit log messages

User Access, User Last Activity

Success <181>Aug 23 10:42:14 cisco-ise CISE_Administrative_and_Operational_Audit 0000000109 1 0 2011-08-23 10:42:13.999 +00:00 0000001208 52002 NOTICE Configuration-Changes: Deleted configuration, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=22, AdminInterface=GUI, AdminIPAddress=172.16.0.200, AdminSession=C10DFFCE8F5779D2F2F6D47F0D8F7EC8, AdminName=ACSAdmin, ObjectType=Internal User, ObjectName=test, ObjectId=9, inLocalMode=false,

Event ID Agile Reports/ Search

Title Report Mapping

Event Type

Sample Log Message

22 Cisco Identity Services Engine Log Configuration Guide

Page 23: LogLogic Cisco ISE

41 CISE_Failed_Attempts

Agile Cisco ISE Failed Attempts

User Access, User Last Activity

Failure <189>Aug 23 17:26:31 cisco-ise CISE_Failed_Attempts 0000000044 2 0 2011-08-23 17:26:31.321 -08:00 0000000085 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=8, Device IP Address=10.60.1.240, Device Port=1037, Protocol=Radius, User-Name=travis, NAS-IP-Address=10.60.1.240, NAS-Port=129, Service-Type=Framed, Framed-Protocol=PPP, Calling-Station-ID=10.60.1.134, Acct-Session-Id=10, NAS-Port-Type=Virtual, Tunnel-Type=(tag=0) PPTP, Tunnel-Medium-Type=(tag=0) IPv4, Tunnel-Client-Endpoint=(tag=0) 10.60.1.134, MS-RAS-Vendor=311, MS-RAS-Version=MSRASV5.20, MS-CHAP2-Response=00:00:c4:7b:41:53:f7:51:92:a8:06:90:fc:3f:b8:c4:aa:18:00:00:00:00:00:00:00:00:69:11:1c:9b:b3:61:af:c2:a5:b3:53:a2:d2:f5:40:44:19:74:02:78:40:ab:0f:f6, AcsSessionID=cisco-ise/103510394/1,

42 CISE_Failed_Attempts

Agile Cisco ISE Failed Attempts

User Access, User Last Activity

Failure <189>Aug 30 12:29:22 cisco-ise CISE_Failed_Attempts 0000000151 2 0 2011-08-30 12:29:22.500 -08:00 0000004178 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=9, Device IP Address=10.60.1.240, Device Port=4457, DestinationIPAddress=10.60.1.121, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=travis, Protocol=Radius, RequestLatency=69, NetworkDeviceName=MSPPTP, User-Name=travis, NAS-IP-Address=10.60.1.240, NAS-Port=129, Service-Type=Framed, Framed-Protocol=PPP, Calling-Station-ID=10.60.1.134, Acct-Session-Id=20, NAS-Port-Type=Virtual, Tunnel-Type=(tag=0) PPTP, Tunnel-Medium-Type=(tag=0) IPv4, Tunnel-Client-Endpoint=(tag=0) 10.60.1.134, MS-RAS-Vendor=311, MS-CHAP-Challenge=6e:e0:58:87:18:2c:fe:d0:89:b2:4f:81:12:cc:c1:79, MS-RAS-Version=MSRASV5.20, MS-CHAP2-Response=01:00:e7:43:68:d1:6b:16:fd:b8:bb:6a:0e:bb:0c:a4:0c:7b:00:00:00:00:00:00:00:00:c7:0d:90:2d:a9:e0:85:a5:27:93:58:87:db:fc:ac:f1:c5:63:0c:96:92:13:e2:83, MS-RAS-Client-Name=MSRAS-0-LL-TMCM-55,

43 CISE_Policy_Diagnostics

Agile Cisco ISE Policy Diagnostics

User Access, User Last Activity

Success <187>Aug 30 12:31:29 cisco-ise CISE_Policy_Diagnostics 0000000157 1 0 2011-08-30 12:31:29.712 -08:00 0000004195 15047 ERROR Policy: MS-CHAP v2 is not allowed, ConfigVersionId=9, Device IP Address=10.60.1.240, UserName=travis, Protocol=Radius, RequestReceivedTime=1314732689, PolicyType=ServiceSelectionPolicy, AcsSessionID=cisco-ise/103510394/70, SelectedAccessService=Default Network Access, ServiceSelectionMatchedRule=Standard Rule 2, CPMSessionID=0a3c0179000000034E5D3A91,

44 CISE_Passed_Authentications

Agile Cisco ISE Passed Authentications

User Access, User Last Activity

Success Calling-Station-ID=10.60.1.134, Acct-Session-Id=29, NAS-Port-Type=Virtual, Tunnel-Type=(tag=0) PPTP, Tunnel-Medium-Type=(tag=0) IPv4, Tunnel-Client-Endpoint=(tag=0) 10.60.1.134, MS-RAS-Vendor=311, MS-CHAP-Challenge=be:96:87:51:87:90:95:56:16:e8:55:7b:08:67:65:b7, MS-RAS-Version=MSRASV5.20, MS-CHAP2-Response=00:00:b3:15:03:38:0c:23:93:32:50:5a:97:fb:d6:00:a2:f0:00:00:00:00:00:00:00:00:38:a4:30:da:00:01:c5:54:52:86:9c:9c:3f:04:b1:41:b0:2b:d7:9f:54:c5:f0:f7, MS-RAS-Client-Name=MSRAS-0-LL-TMCM-55,

Event ID Agile Reports/ Search

Title Report Mapping

Event Type

Sample Log Message

Cisco Identity Services Engine Log Configuration Guide 23

Page 24: LogLogic Cisco ISE

24 Cisco Identity Services Engine Log Configuration Guide