ACS 5.1 logging

Similar Messages

• ACS 5.4 logs

  Hi there people!
  Im currently deploying ACS 5.4 for our network and i have some questions regarding logging events on ACS. I have read all the documents that come with ACS regarding logging but im still a bit confused.
  As of now ACS should have been running for about a month. I however can only see a maximum of 1-2 days of logs within the monitoring interface. I can however retrieve the last 7 days from the CLI.
  Is there a way to configure ACS to show more entries within the web interface? Or even create custom reports with TACACS events (authentication, authorization and accounting) from within the monitoring viewer?
  Another thing, we have 2 ACS systems installed one being the primary and the other the secondary instance. However, when primary instance, which is also the main log collector, goes down, we get no logs from the secondary acs....Is there a way around this?
  Thanks for a ny pointers in advance!

  Hi,
  Data retention limit:
  Customize reports:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/viewer_reporting.html#wp1133308
  Workaround to that issue is keep the secondary ACS as the log collector.
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• ACS PASSED AUTHENTICATION LOG

  Hi
  I am trying to export my passed/failed authentication log to MS-EXCEL . Since my log in acs is huge MS-EXCEL has a restriction on the number of rows and columns. How do i delete the old logs and have the logs between specified dates.
  Or is there any other mechanism so that i can open this log file in .csv format without truncating the content of the log file.
  Any help is appreciated
  Thanks in advance

  There are utilities about that allow you to split a file into a series of files but only containing N lines.
  Alternativly have you looked at AAA Reports from Extraxi, that allows you to do a whole host of reports and handles all the issues of archiving and management of the data.

• ACS 5.4, logging configuration.

  Hello.
  I'm using ACS 5.4p2 within distributed systems: one primary and one secondary instance.
  For now, primary instance is acting as Log Collector server and I can see any AAA audit logs.
  When the primary instance fails I can authenticate successfully using the secondary instance.
  However, when primary instance comes back, I'm not able to see any audit logs operated by secondary.
  Please, can someone help me?
  I'm trying different configuration without success!
  Thanks.
  Regards.
  Andrea

  Yes, it is strange. I'm thinking I'm missing something on my configuration.
  This morning, I'm started with a fresh ACS 5.4 installation, install license, create one AAA client and one user. Then add the secondary instance an wait it to be updated.
  Log collector runs on primary and logs AAA audit correctly from primary and secondary instances.
  Log recovery is enabled: run every 10 minutes.
  When the primary instance is down I can auhenticate on secondary one without any problems.
  When the primary instance come back I'm able to see only failed AAA log coming from secondary during the primary fault.
  Any ideas?
  Yes, it is strange. I'm thinking I'm missing something on my configuration.
  This morning, I'm started with a fresh ACS 5.4 installation, install license, create one AAA client and one user. Then add the secondary instance an wait it to be updated.
  Log collector runs on primary and logs AAA audit correctly from primary and secondary instance.
  Log recovery is enabled.
  When the primary instance is down I can auhenticate on secondary instance without any problem.
  When the primary instance come back I'm able to see only failed AAA log coming from secondary during the primary fault.
  Any ideas?

• [ACS 5.4] Logs access from secondary server

  Hi,
  I have 2 ACS 5.4 in distributed environment. Everything left to defaults besides policy.
  Let assume ACS-A is the primary and ACS-B is the secondary. Regularly, I'd connect to ACS-A to make changes and WATCH LOGs.
  Now, let assume ACS-A is down. Obviously, I connect to ACS-B and everything works fine, besides logs. When I click on 'logs center', a blank window opens and nothing happens.
  But the URL it tries to open, it's ACS-A.
  Now, from what I saw, ACS-A being the primary box is the log collector for a distributed environment, by default. But how I supposed to watch the logs on a secondary server when primary is down?
  Thank you.

  Hello Alex,
  The following are the supported browsers and it should work fine in all fo them. Please have a look at them:-
  Supported Web Client and Browsers
  You can access the ACS 5.4 administrative user interface using the following web clients and browsers:
  •MAC Platform
  –Mozilla Firefox version 3.x
  –Mozilla Firefox version 10.x
  •Windows 7 32-bit
  •Windows 7 64-bit
  •Windows XP Professional (Service Pack 2 and 3)
  –Internet Explorer version 7.x
  –Internet Explorer version 8.x
  –Internet Explorer version 9.x
  –Mozilla Firefox version 3.x
  –Mozilla Firefox version 8.x
  –Mozilla Firefox version 9.x
  –Mozilla Firefox version 10.x
  The above mentioned browsers are supported only with one of the following cipher suits:
  –-TLS_RSA_WITH_AES_256_CBC_SHA
  –-TLS_RSA_WITH_AES_128_CBC_SHA
  –-RSA_WITH_3DES_EDE_CBC_SHA

• ACS 5.4 Log Collector

  I am not receiving any tacacs accounting, authentication or authorization entries in my log collector.  I have my secondary server as the collector and it is receiving radius entries but not tacacs.  If I move the collector to the primary server, all works perfect.  Why does the secondary not receive the logs?  The primary is the device that is doing the auth for all devices and it should be sending the logs to the collector.

  Hello,
  Sometimes this can be a DB corruption.
  Change the log collector back to the seconday if you have the same behavior reset the configuration on the secondary ACS and have it register again to the primary. This will make a clean DB on the secondary.
  Make sure you have the secondary ACS license handy.
  If you need specific help let me know and I will be glad to assist.
  Also make sure that the secondary ACS has all the services running and that has the 500 GB of HDD.
  Regards,
  Erdelgad

• Cisco ACS 5.2 logs

  Hi
  Just looking if anyone know how to delete the accounting/authorization Reports or logs ?
  Screenshot has attached herewith for reference.
  Thanks.
  Regards
  Santosh

  Under System Administration , log configuration, local log target, ther's a spot where you configure for how long you keep the logs in ACS.
  if you change for one day then your logs wiill be deleted, and also ele all the logs.
  But i think this is for all the logs, so if you want to delete these records then you have to delete all of them.
  Anterov

• Acs:Delete specific log for user X

  Hi Experts
  on the acs 5.2 , how to delete specific log for user X, ?
  thanks
  jamil

  Not sure if this answers the question you are asking but the following option is available:
  Monitoring Configuration > System Configuration > Collection Filters
  Pres "Create" and Syslog Attribute of "User" and set the user name your are interested in
  This option prevents records for this user from being collected. It does not remove any records that have already been collected

• Clear ACS 5.2 logs

  Hi,
  Is there any way to clear the history log of ACS 5.2 (authentication failed, pass, etc)?
  Thanks!

  Hi Tarik,
  I need to clear the logs because there are some messages from the system alarm collector (database failure) that are very frequent and are filling up all the buffer space. But you can only delete 100 messages at once that is the maximum length of one page.
  It could be useful to have the possibility to delete all the messages of a certain type.

• ACS - CSAUTH & CSRADIUS Logs

  Does anyone know how I can switch the paths for the logs
  C:\~~~\CSAuth\Logs\AUTH yy-mm-dd.log
  C:\~~~\CSRadius\Logs\RDS yy-mm-dd.log
  from their defaults? Ever since the enablement of the Radius Session Timeout attribute (027), the two daily logs are getting huge and taking up the a lot of the c:\ disk. Appreciate if someone can point me where I can change the directories from default. Thanks.
  Fanny

  Hi,
  I have huge log files as well...
  1. I have 2 ACS's with 1 of both as a backup..
  2. A few of days ago, the disk on the backup ACS is full and after check. the files in /CSAUTH/Logs and /CSMon/Logs hog them.
  3. After check, periodic file deletion function is not enabled.
  4. My question is that why the same both dir's on the primary ACS did not grow much though the
  periodic file deletion function is not enabled either.
  5. I am wondering whether the backup ACS need stay in monitoring the primary ACS status and that is why its log files in /CSauth/Logs grow quite fast..( over 10MB for each)
  Matthew

• No TACACS+ Administration Logging on ACS

  I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;
  aaa accounting command <server group> or <privilege>.
  How do I get this ASA and Windows ACS to collect TACACS+ administration?
  Note: My TACACS+ accounting does collect data on users ssh into the ASA.

  It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.
  Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.
  You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.
  Here's an example of the commands:
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Hope it helps.

• ACS 5.5 and disappearing logs

  Hello
  I'm having issues with logging on a Cisco ACS 5.5.0.46 cluster. Cluster has been upgraded from latest 5.3 ACS to 5.5.
  After upgrading to 5.5 logging was working fine. Monitoring and Reports had historical logs and was logging live/current authentications.
  A few weeks back there was an issue outlined in the post below:
  https://supportforums.cisco.com/thread/2264123?tstart=30
  logging on the log collector stopped working. After restarting the logging process in the cluster, logging on the log collector started working again and I restored the missing logs from backup.
  A few days ago the log collector stopped workng again - no logs at all (nothing live or historic. I restarted the log collector ACS VM and it started logging again but logs prior to the restart are missing.
  The ACS cluster is logging to syslog but I really need to have reliable logs on the ACS.
  I'm aware of a recent patch for 5.5 but the release notes don't seem to mention the above issue.
  Is it worth patching 5.5 or roll back to 5.4?
  Thanks
  andy

  Andy,
  Do you have log recovery option enabled under Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Log Message Recovery.
  For more information, go through the below listed link
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.5/user/guide/viewer_sys_ops.html#wp108302
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS Accouting Logs

  Is there anyway within ACS to generate logs for just a certain users not all users and to be able to automate this process?

  Accounting logs contain information about the use of remote access services by users. In the HTML interface, all accounting logs can be enabled, configured, and viewed.Refer following URL
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204d0d.html#wp986166

• ACS 5.3.0.40 with Bluecoat Packetshaper via Radius Auth using PAP/CHAP

  Hi,
  We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. Anyone have any idea what is the issue anything to be done with the patch upgrade or any issue with the packetshaper??????
  below is the logs in ACS server.
  Logged At:        September 4,2012 4:10:26.250 PM
  RADIUS Status: Authentication        succeeded
  NAS Failure:
  Username: knpdtf
  MAC/IP Address:
  Network        Device: Test-PS : 10.187.115.83:
  Access Service: Radius Network
  Identity        Store: Internal Users
  Authorization Profiles: Permit Access
  CTS        Security Group:
  Authentication Method: PAP_ASCII
  By
  Karthik

  Hi,
  Do you have any special characters in the password? I would see if you can create an internal user in ACS and use a basic password (like cisco123) and see if the authentication will succeed. I have seen with some GUI based products that some special characters can cause some headaches.
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• How to survive an ACS audit with aaa-reports!

  For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
  Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
  Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
  Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
  Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
  Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
  Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
  Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
  Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
  In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
  Below are some additional TDA specific tips:
  Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
  Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
  Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
  Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
  Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
  Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
  The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
  For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm

  .