Configuring logging categories in Cisco ISE

The Cisco Identity Services Engine DSM for IBM® QRadar® collects syslog events from multiple event logging categories. To define which events are forwarded to QRadar, you must configure each event logging category on your Cisco ISE appliance.

Procedure

  1. Log in to your Cisco ISE Administration Interface.
  2. From the navigation menu, select Administration > System > Logging > Logging Categories.
    The following list shows the supported event logging categories for the IBM QRadar DSM for Cisco Identity Services Engine:
    • AAA audit
    • Failed attempts
    • Passed authentication
    • AAA diagnostics
    • Administrator authentication and authorization
    • Authentication flow diagnostics
    • Identity store diagnostics
    • Policy diagnostics
    • Radius diagnostics
    • Guest
    • Accounting
    • Radius accounting
    • Administrative and operational audit
    • Posture and client provisioning audit
    • Posture and client provisioning diagnostics
    • Profiler
    • System diagnostics
    • Distributed management
    • Internal operations diagnostics
    • System statistics
  3. Select an event logging category, and then click Edit.
  4. From the Log Severity list, select a severity for the logging category.
  5. In the Target field, add your remote logging target for QRadar to the Select box.
  6. Click Save.
  7. Repeat this process for each logging category that you want to forward to QRadar.

    Events that are forwarded by Cisco ISE are displayed on the Log Activity tab in QRadar.