The Cisco Identity Services Engine DSM for IBM®
QRadar® collects syslog events
from multiple event logging categories. To define which events are forwarded to QRadar, you must configure each
event logging category on your Cisco ISE appliance.
Procedure
-
Log in to your Cisco ISE Administration Interface.
-
From the navigation menu, select .
The following list shows the supported event logging categories for the
IBM
QRadar DSM for Cisco Identity
Services Engine:
- AAA audit
- Failed attempts
- Passed authentication
- AAA diagnostics
- Administrator authentication and authorization
- Authentication flow diagnostics
- Identity store diagnostics
- Policy diagnostics
- Radius diagnostics
- Guest
- Accounting
- Radius accounting
- Administrative and operational audit
- Posture and client provisioning audit
- Posture and client provisioning diagnostics
- Profiler
- System diagnostics
- Distributed management
- Internal operations diagnostics
- System statistics
-
Select an event logging category, and then click Edit.
-
From the Log Severity list, select a severity for the logging
category.
-
In the Target field, add your remote logging target for QRadar to the
Select box.
-
Click Save.
-
Repeat this process for each logging category that you want to forward to QRadar.
Events that are forwarded by Cisco ISE are displayed on the Log Activity
tab in QRadar.