[Day 30] Cisco ISE Mastery Training: Integrating a Syslog Server for Log Management

• Trainer Sagar Dhawan
• Posted on August 18, 2025
• No Comments

[Day 30] Cisco ISE Mastery Training: Integrating a Syslog Server for Log Management

---

Introduction

Logs are the telemetry heartbeat of any NAC deployment. Cisco ISE produces detailed authentication, authorization and system events — but to operate, audit and investigate at scale you must centralize those logs on a syslog/SIEM platform. Integrating a syslog server lets you:

• Retain historical events for forensic and compliance needs.
• Correlate ISE events with network, firewall and endpoint logs in a SIEM.
• Automate alerting (excessive auth failures, device quarantine spikes).
• Offload storage and run long-range analytics (trends, capacity planning, security detection).

This lesson gives you an end-to-end lab and production-style workflow: install & secure a syslog server (rsyslog), configure network devices to forward logs, configure Cisco ISE remote logging targets and log categories, validate end-to-end flow, and troubleshoot mismatches. Where useful I include CLI commands you can copy/paste and GUI steps with screenshot placeholders.

(References: Cisco ISE remote logging docs, and rsyslog best practices). (Cisco, Rsyslog)

---

Problem Statement (real-world pain)

In production NAC deployments you will quickly hit problems if logs are not centralized:

• ISE Live Logs are great for single-event triage, but they are not a replacement for long-term retention, scheduled reporting or SIEM analytics.
• Investigations require correlating switch syslogs, DHCP and AD logs across many devices — impossible without central storage.
• Regulatory auditors want signed, archived evidence (PDF/CSV) that you can’t easily provide from transient local logs.
• Local ISE storage can fill up or be lost in a node failure; external storage preserves data.

You must therefore design a robust, secure, and verifiable log pipeline from NADs and ISE → central syslog → SIEM/archive.

---

Solution Overview (how Cisco ISE + syslog server solves it)

• Cisco ISE can forward selected log categories (authentication, system, policy, radius, etc.) to remote logging targets (syslog/SIEM). You configure remote logging targets and assign log categories to each target. ISE can also use its internal messaging service to deliver logs securely. (Cisco)
• Network devices (Catalyst switches, WLCs, routers) send syslog messages to your central collector (rsyslog/syslog-ng/SIEM). Typical practice is to use TCP or TCP+TLS to avoid UDP message loss. Rsyslog supports TCP and TLS inputs (imtcp + TLS modules). (Rsyslog, Network Pro Guide)
• Syslog server receives, timestamps, stores and optionally forwards logs into SIEM pipelines and long-term archives. Use structured formats / RFC5424 where possible for reliable parsing. (RFC Editor)

Key advantages: reliability (TCP/TLS), security (encrypted syslog), centralized search, and retention/archival policies.

---

Sample Lab Topology

Platform: VMware Workstation or EVE-NG (recommended for reproducible labs)

VMs/Devices:

• ISE VM — 10.10.10.50 (PAN/PSN combined for lab)
• Catalyst 9300 (or IOSv L2) — mgmt 10.10.10.2 (access ports Gi1/0/10-12)
• rsyslog server (Ubuntu 22.04) — 10.10.10.100 (receives syslog over TCP/UDP and TLS)
• AD / DHCP server — 10.10.10.10
• Test endpoints: Windows 10 (802.1X), IP Phone (MAB), Printer (MAB)

Topology diagram:

Use this topology to generate authentication events on the switch and ISE, then validate arrival at the rsyslog server and in ISE remote logging target status.

---

Step-by-Step GUI & CLI Configuration Guide (numbered, copy-paste friendly)

Plan: 1) Prep infra (NTP/DNS/firewall), 2) configure rsyslog server (UDP/TCP and TLS examples), 3) configure Catalyst switch to forward syslog, 4) configure ISE remote logging target & categories, 5) test & validate, 6) tune/secure.

PRE-REQ (before you start)

• Ensure NTP is configured and synced on ISE, switch and syslog server. Timestamps MUST match for correlation.
• Open required firewall ports between ISE / NADs and rsyslog server: UDP 514 (if using UDP), TCP 514 or TCP 6514 (if using TLS), plus any SIEM ingestion ports. For ISE messaging features, modern ISE may use additional internal ports (see official docs for your ISE version). (Cisco)

---

Part A — Prepare the rsyslog server (Ubuntu example)

A.1 — Install rsyslog and TLS support

# On Ubuntu 22.04+
sudo apt update
sudo apt install rsyslog rsyslog-gnutls -y    # gnults enables TLS support

A.2 — Create TLS certificates (lab): (production use CA-signed certs)

# Generate CA, server cert (lab/demo)
mkdir -p /etc/rsyslog-keys && cd /etc/rsyslog-keys
# CA
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -subj "/CN=Lab-CA"
# Server cert
openssl genrsa -out rsyslog.key 2048
openssl req -new -key rsyslog.key -out rsyslog.csr -subj "/CN=rsyslog.lab.local"
openssl x509 -req -in rsyslog.csr -CA ca.key -CAcreateserial -out rsyslog.crt -days 3650 -sha256
chmod 640 /etc/rsyslog-keys/*

A.3 — Configure rsyslog to accept TCP & TLS syslog (example file /etc/rsyslog.d/10-remote.conf)

# /etc/rsyslog.d/10-remote.conf
module(load="imtcp")    # TCP input
module(load="imudp")    # UDP input (optional)
module(load="imptcp")   # for high performance
module(load="imuxsock") # local syslog
module(load="imklog")   # kernel logging

# TLS (gnutls) config
module(load="imtcp")
module(load="imtls") # may be 'imtcp' with streamdriver; varies by rsyslog version

# TCP non-TLS listener (port 514)
input(type="imtcp" port="514")

# TLS listener (example port 6514)
global(
 defaultNetstreamDriver="gtls"
 defaultNetstreamDriverCAFile="/etc/rsyslog-keys/ca.crt"
 defaultNetstreamDriverCertFile="/etc/rsyslog-keys/rsyslog.crt"
 defaultNetstreamDriverKeyFile="/etc/rsyslog-keys/rsyslog.key"
)
input(type="imtcp" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="anon")

# Store logs per host
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& stop

Save file and restart:

sudo mkdir -p /var/log/remote
sudo chown syslog:adm /var/log/remote
sudo systemctl restart rsyslog
sudo ss -lntu | egrep '514|6514'   # validate listening ports

Validation (rsyslog):

# confirm ports listening:
ss -lntu | grep -E '514|6514'
# tail incoming logs for a test host
sudo tail -F /var/log/remote/<switch-hostname>/syslog.log

(Reference: rsyslog imtcp/TLS module docs). (Rsyslog, michlstechblog.info)

---

Part B — Configure Catalyst switch to send syslog (CLI)

B.1 — Basic syslog to UDP/TCP

conf t
 service timestamps log datetime msec localtime show-timezone
 logging source-interface Vlan1          ! ensure consistent source IP seen by syslog/ISE
 logging host 10.10.10.100 transport tcp port 514     ! use TCP where supported
 logging facility local7
 logging trap informational
end
write memory

B.2 — (Optional) Use TLS (platform dependent)
Some IOS/XE platforms allow logging host with transport tls or transport tcp — syntax varies by release. If TLS is supported:

logging host 10.10.10.100 transport tls port 6514

Validate on switch:

show logging
show run | section logging

Validate network reachability:

ping 10.10.10.100 source Vlan1

(Notes: Not all Catalyst platforms support transport tls—use TCP/TLS support matrix for your platform). (Cisco, Network Pro Guide)

---

Part C — Configure Cisco ISE to forward logs to remote syslog (GUI)

C.1 — Add a Remote Logging Target

1. Log in to ISE Admin GUI (https://<ISE-PAN-IP>/admin).
2. Navigate: Administration → System → Logging → Remote Logging Targets (menu path varies slightly by release).
   [Screenshot: ISE → Administration → System → Remote Logging Targets (Add New)]

1. Click Add and fill fields:
   • Name: rsyslog-lab
   • Target Type: Syslog (default)
   • IP / Hostname: 10.10.10.100
   • Port: 514 (TCP) or 6514 (TLS)
   • Protocol / Secure Syslog: set to enable TLS (if supported & server uses TLS).
   • Facility Code: Local7 (or as your convention)
   • Status: Enabled
2. Save.

C.2 — Map Log Categories to the Target

1. Still under Administration → System → Logging → Log Settings (or Remote Logging Targets), select Log Categories or logging profile.
2. For the rsyslog-lab target, enable the categories you want to forward (recommended defaults for SIEM: Authentication, Policy, System, RADIUS, Operations, Debug if needed).
   [Screenshot: ISE → Remote Logging Target → Select Categories]

1. Save and apply. ISE will begin sending selected events to the remote syslog target.

Validation in ISE GUI:

• Admin → System → Deployment → ensure Reporting/Logging services are active on the node.
• Operations → Logs (or Reports) may show remote logging status in some versions.

(Official Cisco steps and secure syslog/TLS options are documented in ISE admin guides). (Cisco)

---

Part D — Test event generation & end-to-end verification

D.1 — Generate test events

• On client: perform 802.1X authentication (connect Ethernet cable, trigger supplicant).
• Or use logger on the switch (or use send log if available) to create test syslog messages.

D.2 — Verify on rsyslog server

# tail logs for messages from ISE and NAD
sudo tail -F /var/log/remote/<ise-hostname>/*.log /var/log/remote/<switch-hostname>/*.log
# or grep a recent timestamp:
sudo grep "Access-Accept" /var/log/remote/<ise-hostname>/*.log -n

D.3 — Validate ISE sent attributes (GUI)

• ISE → Operations → RADIUS → Live Logs → open the same session → confirm the timestamp and see that the session was logged, noting message ID or attributes.
  [Screenshot: ISE Live Logs]

D.4 — Confirm message content

• On the syslog server capture live traffic (optional):

sudo tcpdump -n -s0 -w /tmp/ise-syslog.pcap host 10.10.10.50 and tcp port 514
# or for UDP:
sudo tcpdump -n -s0 -w /tmp/ise-syslog.pcap udp port 514

Open capture in Wireshark; filter syslog — confirm message includes ISE message text, timestamp, facility, and hostname.

D.5 — Cross-check fields

• Ensure hostname in message matches NAD or ISE name expected, and that timestamp closely matches ISE Live Log entry. If hostname missing, consider enabling RFC5424 format on NAD (where supported) or using consistent logging templates. (ISE and modern Cisco platforms support RFC5424 concepts; structured data helps parsing). (Cisco, RFC Editor)

---

Part E — Optional: Configure secure delivery and high availability

• Use TLS (rsyslog + switch/ISE support) to encrypt syslog in transit — configure certificates on both ends. Cisco ISE supports secure TLS syslog for remote logging targets (enable Secure Syslog option). (Cisco)
• For high availability, configure multiple remote logging targets and configure devices to send to a pair of collectors (or load-balanced front end) to avoid single-point failure. In ISE you can add multiple targets and map categories to them.

---

Part F — Log rotation, retention & indexing (syslog server)

• Configure logrotate to rotate /var/log/remote/* to avoid disk exhaustion:

# /etc/logrotate.d/remote-syslog
/var/log/remote/*/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 0640 syslog adm
}

• For SIEM ingestion, either forward files or configure rsyslog to forward messages to SIEM over reliable channel (TCP/TLS) or use filebeat/promtail to ship logs.

---

FAQs

1. Q — Should I use UDP or TCP/TLS for syslog?
A: Use TCP or TCP+TLS for production to avoid packet loss and to encrypt logs in transit. UDP is acceptable for labs but unreliable in congested networks. (rsyslog supports both; ISE supports secure syslog over TLS). (Rsyslog, Cisco)

---

2. Q — Which ISE log categories should I forward to SIEM?
A: Minimum: Authentication, RADIUS, System, Policy/Authorization. Add Debug and Trace only for limited troubleshooting windows (they are very verbose).

---

3. Q — Does ISE support RFC5424 syslog format?
A: ISE produces structured syslog messages; modern Cisco platforms support RFC5424 and structured syslog to improve parsing. Ensure your collector is RFC5424-capable. (Cisco, RFC Editor)

---

4. Q — How do I prevent message drops during ISE restarts or WAN outages?
A: Use local buffering on rsyslog (or ISE Messaging Service options) and configure multiple logging targets. ISE’s messaging service provides resiliency for MnT scenarios in distributed deployments — check your ISE version docs for details. (Cisco Community)

---

5. Q — Why do syslog messages sometimes show the wrong hostname?
A: Syslog sender uses its configured source hostname or IP. Ensure logging source-interface on switches and correct FQDN / hostname settings on devices. RFC5424 formatting (and correct templates) helps the collector find the host field. (RFC Editor)

---

6. Q — Can ISE send logs to multiple collectors (SIEM + local archive)?
A: Yes — add multiple Remote Logging Targets in ISE and map categories to each target.

---

7. Q — How do I verify which ISE node is sending logs?
A: Check syslog messages for source IP/hostname. In ISE GUI, Administration → System → Deployment shows which services (MnT/Logging) run on which nodes. Enable logging on the PAN/PSN nodes that you want to forward.

---

8. Q — What syslog fields are most useful for correlating ISE events?
A: Timestamp (ms), Calling-Station-Id (MAC), NAS-IP-Address (switch), UserName, and message ID or session ID. These should be present in ISE’s syslog messages.

---

9. Q — How do I test syslog TLS in a lab?
A: Configure rsyslog to listen on TLS port (6514), place server certs, configure ISE remote logging target to use Secure Syslog/TLS (if available), and check ss -lntp and tcpdump for TLS traffic. Use valid CA-signed certs for production.

---

10. Q — My SIEM shows truncated ISE messages — what to do?
A: Increase syslog server message length buffer and use TCP/TLS (less fragmentation). Ensure rsyslog templates capture entire message and disable any truncation options in the SIEM ingestion pipeline.

---

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

---

Closing Notes (key takeaways)

• Centralize logs: ISE + syslog/SIEM = operational visibility & compliance.
• Prefer TCP/TLS for reliability + security. Rsyslog supports TCP and TLS inputs; configure certificates. (Rsyslog)
• Map categories: only forward what you need (Auth/RADIUS/System) and enable Debug for short troubleshooting windows.
• NTP is mandatory: accurate timestamps are the backbone of correlation.
• Test & validate: produce auth events, check ISE Live Logs and syslog server, verify attributes and timestamps, and capture packets if needed.
• Plan retention & rotation to avoid disk exhaustion and for compliance.

---

Fast-Track to Cisco ISE Mastery Pro

If you want to operate Cisco ISE like a pro — instrumented, auditable and production ready — join 4-month Instructor-Led CCIE Security & ISE Mastery Program. This course takes you from lab setup to production hardening:

• Hands-on labs (VMware/EVE-NG): ISE installs, syslog/SIEM integration, secure TLS syslog, high-availability, CoA, DACL, Posture & Profiling.
• Real-world troubleshooting playbooks — the exact steps you need on call.
• Live Q&A, lab packs, and career coaching.

View course outline & reserve your seat: https://course.networkjourney.com/ccie-security/

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

---