ACS 5.4 Log Collector

Similar Messages

• ACS 5.4 logs

  Hi there people!
  Im currently deploying ACS 5.4 for our network and i have some questions regarding logging events on ACS. I have read all the documents that come with ACS regarding logging but im still a bit confused.
  As of now ACS should have been running for about a month. I however can only see a maximum of 1-2 days of logs within the monitoring interface. I can however retrieve the last 7 days from the CLI.
  Is there a way to configure ACS to show more entries within the web interface? Or even create custom reports with TACACS events (authentication, authorization and accounting) from within the monitoring viewer?
  Another thing, we have 2 ACS systems installed one being the primary and the other the secondary instance. However, when primary instance, which is also the main log collector, goes down, we get no logs from the secondary acs....Is there a way around this?
  Thanks for a ny pointers in advance!

  Hi,
  Data retention limit:
  Customize reports:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/viewer_reporting.html#wp1133308
  Workaround to that issue is keep the secondary ACS as the log collector.
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• ACS 5.4 with ACS 5.6 as a Log Collector

  Hello,
  I have a ACS 5.4.0.46-6 running.
  Now I want to setup a ACS log collector on my ESX 5.5.
  Since ACS 5.4 is not supported on ESX 5.5 I want to install ACS 5.6.
  Question :
  I this setup possible?
  Can I use the ACS 5.6 as a log-collector for the ACS 5.4?
  Regards,
  Herald

  Hi,
  Herald .
  Your tests spare me lot of time since I was going to try the same configuration.
  I am afraid that such a configuration will not work as long  as the log collector server has to be part of the same distributed deployment other aaa servers are.Actually I think that servers members of the same distributed deployment needs to run same sw version
  Regards
  MM

• Cisco ACS-Log collector

  Hi all,
  I was doing some testing on the ACS 5.4 version in distributed deployment.
  Now the issue that, when my primary log collector is down, there is no logs for the accounting.
  Now is there any way to keep those logs when the primary log collector is down any suggestions to have work around for the same.
  Please suggest any method for the recovery.
  thanks
  Nitesh

  Hi NItesh,
  i'm suggesting to deploy another log server.
  and config remote log target to that server.
  in another way,
  you can config monitoring log recovery in Monitoring Configuration > System Operations > Log Message Recovery.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#pgfId-1083029

• ACS 5.4, logging configuration.

  Hello.
  I'm using ACS 5.4p2 within distributed systems: one primary and one secondary instance.
  For now, primary instance is acting as Log Collector server and I can see any AAA audit logs.
  When the primary instance fails I can authenticate successfully using the secondary instance.
  However, when primary instance comes back, I'm not able to see any audit logs operated by secondary.
  Please, can someone help me?
  I'm trying different configuration without success!
  Thanks.
  Regards.
  Andrea

  Yes, it is strange. I'm thinking I'm missing something on my configuration.
  This morning, I'm started with a fresh ACS 5.4 installation, install license, create one AAA client and one user. Then add the secondary instance an wait it to be updated.
  Log collector runs on primary and logs AAA audit correctly from primary and secondary instances.
  Log recovery is enabled: run every 10 minutes.
  When the primary instance is down I can auhenticate on secondary one without any problems.
  When the primary instance come back I'm able to see only failed AAA log coming from secondary during the primary fault.
  Any ideas?
  Yes, it is strange. I'm thinking I'm missing something on my configuration.
  This morning, I'm started with a fresh ACS 5.4 installation, install license, create one AAA client and one user. Then add the secondary instance an wait it to be updated.
  Log collector runs on primary and logs AAA audit correctly from primary and secondary instance.
  Log recovery is enabled.
  When the primary instance is down I can auhenticate on secondary instance without any problem.
  When the primary instance come back I'm able to see only failed AAA log coming from secondary during the primary fault.
  Any ideas?

• [ACS 5.4] Logs access from secondary server

  Hi,
  I have 2 ACS 5.4 in distributed environment. Everything left to defaults besides policy.
  Let assume ACS-A is the primary and ACS-B is the secondary. Regularly, I'd connect to ACS-A to make changes and WATCH LOGs.
  Now, let assume ACS-A is down. Obviously, I connect to ACS-B and everything works fine, besides logs. When I click on 'logs center', a blank window opens and nothing happens.
  But the URL it tries to open, it's ACS-A.
  Now, from what I saw, ACS-A being the primary box is the log collector for a distributed environment, by default. But how I supposed to watch the logs on a secondary server when primary is down?
  Thank you.

  Hello Alex,
  The following are the supported browsers and it should work fine in all fo them. Please have a look at them:-
  Supported Web Client and Browsers
  You can access the ACS 5.4 administrative user interface using the following web clients and browsers:
  •MAC Platform
  –Mozilla Firefox version 3.x
  –Mozilla Firefox version 10.x
  •Windows 7 32-bit
  •Windows 7 64-bit
  •Windows XP Professional (Service Pack 2 and 3)
  –Internet Explorer version 7.x
  –Internet Explorer version 8.x
  –Internet Explorer version 9.x
  –Mozilla Firefox version 3.x
  –Mozilla Firefox version 8.x
  –Mozilla Firefox version 9.x
  –Mozilla Firefox version 10.x
  The above mentioned browsers are supported only with one of the following cipher suits:
  –-TLS_RSA_WITH_AES_256_CBC_SHA
  –-TLS_RSA_WITH_AES_128_CBC_SHA
  –-RSA_WITH_3DES_EDE_CBC_SHA

• ACS 5.1 logging

  Hi,
  i have installed ACS 5.1.0.44 demo (demo license) on ESX VM 4.0, everything works fine.But i have a problem is the logging.
  1- i have configured the ACS to use remote log server, it sends the logs to the server in a very detail way.
  the question is how i can define certain attribute in the log send?  For example, how to send only in the log the following attribute: remote-address, meaasge, severity , time , date, and facility.
  the below is ONE log send from ACS to GFI log server
  Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 0 2010-06-23 18:01:55.897 +00:00 0000008864 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ACSVersion=acs-5.1.0.44-B.2347,
  Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 1  ConfigVersionId=167, Device IP Address=10.39.2.26, RequestLatency=0, NetworkDeviceName=switch26, Type=Accounting,
  Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 2  Privilege-Level=1, Service=Login, User=user1, Port=tty5, Remote-Address=10.39.24.7, Authen-Method=TacacsPlus, AVPair=task_id=76,
  Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 3  AVPair=timezone=UTC, AVPair=start_time=1277296026, AVPair=disc-cause=9, AVPair=disc-cause-ext=2, AVPair=pre-session-time=0,
  Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 4  AVPair=elapsed_time=9158, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=acs-demo/66496449/326,
  Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 5  SelectedAccessService=Default Device Admin, Step=13006 , Step=15008 , Step=15004 , Step=15012 , Step=13035 ,
  Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 6  NetworkDeviceGroups=Device Type:All Device Types, NetworkDeviceGroups=Location:All Locations,
  Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 7  Response={Type=Accounting; AcctReply-Status=Success; }
  2- can i configure ACS, to send the logs that are not sent when the log server is down, after the log server has been restored and up
  i.e. re-synchronizing???
  Please , i will appreciate if anyone can help
  Regards,
  George

  Hi,
  In ACS 5.x you can only define one syslog server on the CLI.
  However, via the GUI I belive you can define as many you want (i never reached any limit...)
  Please find complete info at:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/logging.html.
  HTH,
  Tiago

• Error verifing REDO LOG COLLECTOR

  Dear all,
  I get this error when i try to verify REDO collector:
  $avorcldb verify -src 10.52.128.176:3000:TEST -colltype REDO
  Introducir Nombre de Usuario de Origen: srcuser
  Introducir Contraseña de Origen:
  ERROR: el nombre de base de datos global para la base de datos origen debe incluir el dominio para utilizar el recopilador REDO LOG
  ERROR: defina los parámetros init.ora anteriores para los valores recomendados/necesarios
  The message languaje is spanish.... sorry.... the translation is:
  ERROR: Database global name for the source database must include the domain to use te REDO LOG COLLECTOR.
  ERROR: Define the before parameters on init.ora with the necesary values.
  I think that the error is because of the DB_DOMAIN parameter of the source database. I've incluide it and it doesn´t work.
  Thank you!!

  Of course, the problem looks easy but I can´t still solve it...
  I created the source user on the source database, following the instructions of the Administrator guide.
  After create this user and grant him the privileges of the script zarsspriv.sql and so on. Then I had to add a database and to do it, i have to enter the username and password of the user that i created and I have no problems...
  Then I need to add the collectors of the source database. When I add theses collector I dont have to enter the usernae/password, becasuse I entered it when I register the source database. Well... I add the DBAUD and OSAUD fine but when I try to add the REDO COLLECTOR i recive the error...
  The more strange is that I can verify the collectors fine:
  avorcldb verify -src neptuno:3000:testl -colltype REDO
  Enter Source user name: srcuser
  Enter Source password: ******
  source neptuno verified for REDO Log Audit Collector collector
  ...but when I launch the add_collector comand for REDO collector i have the problem..
  I´m using Oracle 10G, not 11G.
  Thanks

• Clear ACS 5.2 logs

  Hi,
  Is there any way to clear the history log of ACS 5.2 (authentication failed, pass, etc)?
  Thanks!

  Hi Tarik,
  I need to clear the logs because there are some messages from the system alarm collector (database failure) that are very frequent and are filling up all the buffer space. But you can only delete 100 messages at once that is the maximum length of one page.
  It could be useful to have the possibility to delete all the messages of a certain type.

• ACS PASSED AUTHENTICATION LOG

  Hi
  I am trying to export my passed/failed authentication log to MS-EXCEL . Since my log in acs is huge MS-EXCEL has a restriction on the number of rows and columns. How do i delete the old logs and have the logs between specified dates.
  Or is there any other mechanism so that i can open this log file in .csv format without truncating the content of the log file.
  Any help is appreciated
  Thanks in advance

  There are utilities about that allow you to split a file into a series of files but only containing N lines.
  Alternativly have you looked at AAA Reports from Extraxi, that allows you to do a whole host of reports and handles all the issues of archiving and management of the data.

• Cisco ACS 5.2 logs

  Hi
  Just looking if anyone know how to delete the accounting/authorization Reports or logs ?
  Screenshot has attached herewith for reference.
  Thanks.
  Regards
  Santosh

  Under System Administration , log configuration, local log target, ther's a spot where you configure for how long you keep the logs in ACS.
  if you change for one day then your logs wiill be deleted, and also ele all the logs.
  But i think this is for all the logs, so if you want to delete these records then you have to delete all of them.
  Anterov

• Acs:Delete specific log for user X

  Hi Experts
  on the acs 5.2 , how to delete specific log for user X, ?
  thanks
  jamil

  Not sure if this answers the question you are asking but the following option is available:
  Monitoring Configuration > System Configuration > Collection Filters
  Pres "Create" and Syslog Attribute of "User" and set the user name your are interested in
  This option prevents records for this user from being collected. It does not remove any records that have already been collected

• ACS - CSAUTH & CSRADIUS Logs

  Does anyone know how I can switch the paths for the logs
  C:\~~~\CSAuth\Logs\AUTH yy-mm-dd.log
  C:\~~~\CSRadius\Logs\RDS yy-mm-dd.log
  from their defaults? Ever since the enablement of the Radius Session Timeout attribute (027), the two daily logs are getting huge and taking up the a lot of the c:\ disk. Appreciate if someone can point me where I can change the directories from default. Thanks.
  Fanny

  Hi,
  I have huge log files as well...
  1. I have 2 ACS's with 1 of both as a backup..
  2. A few of days ago, the disk on the backup ACS is full and after check. the files in /CSAUTH/Logs and /CSMon/Logs hog them.
  3. After check, periodic file deletion function is not enabled.
  4. My question is that why the same both dir's on the primary ACS did not grow much though the
  periodic file deletion function is not enabled either.
  5. I am wondering whether the backup ACS need stay in monitoring the primary ACS status and that is why its log files in /CSauth/Logs grow quite fast..( over 10MB for each)
  Matthew

• [ACS 5.2] Upgrade to ACS 5.4

  Hi,
  We got 2 Cisco ACS 5.2.0.26.10.
  Primary server as authentication server and log collector
  Secondary server as authentication server. Replication is configured.
  I read the following guide: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html#wp1194934
  "There are some exceptions to this usual setup, which you can handle as described below:
  If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment. See Promoting a Secondary Server to Primary "
  This exception matches with my case. I have to promote my secondary server as primary.
  I would have :
  Secondary server as authentication server and log collector
  Primary server as authentication server
  Now, I think I have to deregister secondary from primary server....
  According to the guide, I have to upgrade the log collector server.
  "Step 1: Choose any secondary server to become a log collector:"
  I dont have another secondary server...
  What should I do now? (upgrade secondary/log server? upgrade primary server? ... )
  This guide supposed that I have 2 secondary and 1 primary ...
  I dont know which steps to follow....
  Thanks for your help,
  Patrick

  You have a requets open to TAC and so you will get their guidance
  Wil still share some general clarifiactions that I am aware of when going from ACS 5.2 to ACS 5.4
  For the first step in the upgrade process, you want to upgrade the log collector since will have both configuration and M&T data.
  1) if ACS 5.2 log collector is a seconday should just deregister from the deployment to make standalone and then upgrade the server to be ACS 5.4. It will initially be the new ACS 5.4 primary server (this is temporary and gets rectified at end of overall process)
  2) if log collector is the primary on the ACS 5.2 then promote a difference server so that log collector is now secondary and can follow step 1)
  At this point have one server on ASC 5.4 and rest on ACS 5.2. Can now begin to move the rest of the servers from ACS 5.2 to ACS 5.4 (as guide says: "Register the secondary server to the ACS 5.4 primary server" - this is temporary primary server as described in step 1)
  Once all the servers are migrated then can select the "long term primary" ; as opposed to temporary one
  writing this I can see it is hard to explain. Am sure TAC will do better

• Remote Log Targets not working in ACS

  Dear all
  I have 2 x ACS boxes configured as Primary & secondary.
  In ACS1 - In monitoring and reports-> option  I can see the User authentication, authorization and Accounting activities logs. I want to configure ACS2 as remote log server.
  For that in ACS1, in System administration->Log configuration-> remote log targets->new
  Added as - ACS2- 1.1.1.2 - in Advance options -
  Port-20514 (default is 514, need to change to 20514 , Instructions  from Cisco),
  Facility mode - Level6
  Maximum length -1024
  In logging categoris - in Global - Edit "AAA Audit" - remote syslog Targets - i have added - Logcollector (ACS1) and ACS2.
  In Log collector optin --> ACS1 is configured.
  After this , i  open ACS2 - Monitoring and reports optin to view the logs but when ever i click - it is diverting to ACS1.
  if i change log collector in ACS1 as ACS2, i can see the logs on ACS2. so at a time i can see logs only one ACS box.
  I would like to view the logs in both ACS boxes. can any one help me please.

  As per Cisco,  you can not able to User 2 ACS boxes simultanously to recevie log messages. Remote Log targets for Syslog Server.
  so, i can't use simultanously 2 x acs boxes , i need to go for syslog server.
  Chapter 19, "Understanding Logging"
  Configuring Remote Log Targets
  You can configure specific remote log targets (on a syslog server only) to receive the logging messages for a specific logging category. See Chapter 19, "Understanding Logging" for more information on remote log targets. See Configuring Logging Categories, page 18-25 for more information on the preconfigured ACS logging categories.
  Closing this ticket.. answered by Mohammed Feroz.