4 Replies Latest reply on Apr 4, 2016 2:08 PM by wolram

    CISCO ISE AND LEM

    paul1gilbert

      Hello experts,

       

      I have a customer wanting to configure his ISE 2.0 server to send syslog messages to his LEM. We tried different ways but we can't make it work.

      We configured ISE with the IP of LEM and with logging facility 6.

      On LEM we followed this link:

      http://www.solarwinds.com/documentation/LEM/Docs/LEM_Evaluation_Guide.pdf

       

      We configured LEM for syslog, defined the IP of ISE but the LEM never finds the node.

       

      Is there something we are missing?

       

        • Re: CISCO ISE AND LEM
          wolram

          Hi paul1gilbert

           

          Two things here:

          1. You need to increase the size of the buffer that sends Cisco ISE to the LEM.  I unfortunately do not have a handy screenshot from Cisco's console to show you (If you do this it would be great if you shared a screenshot).  Make the buffer of what is sent via syslog as large as possible.  The reason for this is the Cisco did not stay within the 1024 RFC for syslog and as such it breaks all the lines up separately which makes it a pure pain to pull them all back together.  Once you get that changed then you move onto the second item.

          2. In this situation I would configure Cisco ISE by hand instead of doing a scan for new nodes.  it will be quicker since you already know you have a Cisco ISE.  Otherwise what you are doing is sending a sample of log lines through every single connector to figure out which one it might match.

           

          Also look at checklogs from the cmc to see if the logs are actually getting to local6

           

          Hope that helps out.

            • Re: CISCO ISE AND LEM
              paul1gilbert

              Hi,

               

              Thanks for the response. I just configured ISE with a maximum length of 8192.

              How do I configure LEM to manually join ISE? Do you have a guide?

              • Re: CISCO ISE AND LEM
                barrycuda72

                Have you actually gotten this to work?   I had an open ticket with Solarwinds support and they said it would not work.  I tried your suggestion and raised the buffer, I am getting information into local6 (I was before as well) but no matter what you try the connector will not recognize anything.

                  • Re: CISCO ISE AND LEM
                    wolram

                    Yes this works.  Multiple customers have this working after raising the buffer and using the ISE connector.  If you are having trouble then I would suggest opening a support ticket.

                     

                    There was a point in time where this was not working and it turned out what was needed was an increase in the Cisco buffer that was sent.  After that the lines came in together and you could then configure the connector manually.