The Cisco Identity Services Engine DSM for IBM
QRadar collects syslog events
from multiple event logging categories. To define which events are forwarded to QRadar, you must configure each
event logging category on your Cisco ISE appliance.
Procedure
-
Log in to your Cisco ISE Administration Interface.
-
From the navigation menu, select .
The following list shows the supported event logging categories for the
IBM
QRadar DSM for Cisco Identity
Services Engine:
- AAA audit
- Failed attempts
- Passed authentication
- AAA diagnostics
- Administrator authentication and authorization
- Authentication flow diagnostics
- Identity store diagnostics
- Policy diagnostics
- Radius diagnostics
- Guest
- Accounting
- Radius accounting
- Administrative and operational audit
- Posture and client provisioning audit
- Posture and client provisioning diagnostics
- Profiler
- System diagnostics
- Distributed management
- Internal operations diagnostics
- System statistics
-
Select an event logging category, and then click Edit.
-
From the Log Severity list, select a severity for the logging
category.
-
In the Target field, add your remote logging target for QRadar to the
Select box.
-
Click Save.
-
Repeat this process for each logging category that you want to forward to QRadar.
Events that are forwarded by Cisco ISE are displayed on the Log Activity
tab in QRadar.