ACS - CSAUTH & CSRADIUS Logs

Does anyone know how I can switch the paths for the logs
C:\~~~\CSAuth\Logs\AUTH yy-mm-dd.log
C:\~~~\CSRadius\Logs\RDS yy-mm-dd.log
from their defaults? Ever since the enablement of the Radius Session Timeout attribute (027), the two daily logs are getting huge and taking up the a lot of the c:\ disk. Appreciate if someone can point me where I can change the directories from default. Thanks.
Fanny

Hi,
I have huge log files as well...
1. I have 2 ACS's with 1 of both as a backup..
2. A few of days ago, the disk on the backup ACS is full and after check. the files in /CSAUTH/Logs and /CSMon/Logs hog them.
3. After check, periodic file deletion function is not enabled.
4. My question is that why the same both dir's on the primary ACS did not grow much though the
periodic file deletion function is not enabled either.
5. I am wondering whether the backup ACS need stay in monitoring the primary ACS status and that is why its log files in /CSauth/Logs grow quite fast..( over 10MB for each)
Matthew

Similar Messages

  • Unknown CSRadius Log Entries

    G'Day Guys!
    We're running 2 Cisco Secure ACS v4.2. In the CSRadius-logs about 90 percent of it looks like this:
    RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
    RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
    RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
    RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
    RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
    RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
    RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
    RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
    I'd appreciate it if someone could help us to understand those entries and the behaviour!
    Can you guys give us ideas what to do about it and where to look for it's cause?!
    Thanks alot!

    Hi,
    Those messages look like a DDTS that was found on the 4.2.0.124.0 ACS.
    Basically:
    Logged-In-Users not updated for Ext-DB users with Disable dynamic users. The users are mapped to the correct group during authentication.
    But during radius accounting the group mapping fails and it gets mapped to default group.
    As it was never reported by any customer it is marked as internal found, so not visible to customers.
    However, the latest patch has this issue fixed, so if you are running 4.2.0.124.0, you may want to apply the latest patch.
    Regarding the IDs in bold, there is no decoding for those as they are are incremental IDs to simply identify the internal acs processes ans authnetication attempts. There is no specific decoding for them.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • ACS 5.1 logging

    Hi,
    i have installed ACS 5.1.0.44 demo (demo license) on ESX VM 4.0, everything works fine.But i have a problem is the logging.
    1- i have configured the ACS to use remote log server, it sends the logs to the server in a very detail way.
    the question is how i can define certain attribute in the log send?  For example, how to send only in the log the following attribute: remote-address, meaasge, severity , time , date, and facility.
    the below is ONE log send from ACS to GFI log server
    Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 0 2010-06-23 18:01:55.897 +00:00 0000008864 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ACSVersion=acs-5.1.0.44-B.2347,
    Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 1  ConfigVersionId=167, Device IP Address=10.39.2.26, RequestLatency=0, NetworkDeviceName=switch26, Type=Accounting,
    Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 2  Privilege-Level=1, Service=Login, User=user1, Port=tty5, Remote-Address=10.39.24.7, Authen-Method=TacacsPlus, AVPair=task_id=76,
    Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 3  AVPair=timezone=UTC, AVPair=start_time=1277296026, AVPair=disc-cause=9, AVPair=disc-cause-ext=2, AVPair=pre-session-time=0,
    Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 4  AVPair=elapsed_time=9158, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=acs-demo/66496449/326,
    Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 5  SelectedAccessService=Default Device Admin, Step=13006 , Step=15008 , Step=15004 , Step=15012 , Step=13035 ,
    Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 6  NetworkDeviceGroups=Device Type:All Device Types, NetworkDeviceGroups=Location:All Locations,
    Jun 23 17:59:45 10.39.250.11 Jun 23 18:01:55 acs-demo CSCOacs_TACACS_Accounting 0000000134 8 7  Response={Type=Accounting; AcctReply-Status=Success; }
    2- can i configure ACS, to send the logs that are not sent when the log server is down, after the log server has been restored and up
    i.e. re-synchronizing???
    Please , i will appreciate if anyone can help
    Regards,
    George

    Hi,
    In ACS 5.x you can only define one syslog server on the CLI.
    However, via the GUI I belive you can define as many you want (i never reached any limit...)
    Please find complete info at:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/logging.html.
    HTH,
    Tiago

  • ACS 5.4 logs

    Hi there people!
    Im currently deploying ACS 5.4 for our network and i have some questions regarding logging events on ACS. I have read all the documents that come with ACS regarding logging but im still a bit confused.
    As of now ACS should have been running for about a month. I however can only see a maximum of 1-2 days of logs within the monitoring interface. I can however retrieve the last 7 days from the CLI.
    Is there a way to configure ACS to show more entries within the web interface? Or even create custom reports with TACACS events (authentication, authorization and accounting) from within the monitoring viewer?
    Another thing, we have 2 ACS systems installed one being the primary and the other the secondary instance. However, when primary instance, which is also the main log collector, goes down, we get no logs from the secondary acs....Is there a way around this?
    Thanks for a ny pointers in advance!

    Hi,
    Data retention limit:
    Customize reports:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/viewer_reporting.html#wp1133308
    Workaround to that issue is keep the secondary ACS as the log collector.
    **Share your knowledge. It’s a way to achieve immortality.
    --Dalai Lama**
    Please Rate if helpful.
    Regards
    Ed

  • ACS PASSED AUTHENTICATION LOG

    Hi
    I am trying to export my passed/failed authentication log to MS-EXCEL . Since my log in acs is huge MS-EXCEL has a restriction on the number of rows and columns. How do i delete the old logs and have the logs between specified dates.
    Or is there any other mechanism so that i can open this log file in .csv format without truncating the content of the log file.
    Any help is appreciated
    Thanks in advance

    There are utilities about that allow you to split a file into a series of files but only containing N lines.
    Alternativly have you looked at AAA Reports from Extraxi, that allows you to do a whole host of reports and handles all the issues of archiving and management of the data.

  • ACS 5.4, logging configuration.

    Hello.
    I'm using ACS 5.4p2 within distributed systems: one primary and one secondary instance.
    For now, primary instance is acting as Log Collector server and I can see any AAA audit logs.
    When the primary instance fails I can authenticate successfully using the secondary instance.
    However, when primary instance comes back, I'm not able to see any audit logs operated by secondary.
    Please, can someone help me?
    I'm trying different configuration without success!
    Thanks.
    Regards.
    Andrea

    Yes, it is strange. I'm thinking I'm missing something on my configuration.
    This morning, I'm started with a fresh ACS 5.4 installation, install license, create one AAA client and one user. Then add the secondary instance an wait it to be updated.
    Log collector runs on primary and logs AAA audit correctly from primary and secondary instances.
    Log recovery is enabled: run every 10 minutes.
    When the primary instance is down I can auhenticate on secondary one without any problems.
    When the primary instance come back I'm able to see only failed AAA log coming from secondary during the primary fault.
    Any ideas?
    Yes, it is strange. I'm thinking I'm missing something on my configuration.
    This morning, I'm started with a fresh ACS 5.4 installation, install license, create one AAA client and one user. Then add the secondary instance an wait it to be updated.
    Log collector runs on primary and logs AAA audit correctly from primary and secondary instance.
    Log recovery is enabled.
    When the primary instance is down I can auhenticate on secondary instance without any problem.
    When the primary instance come back I'm able to see only failed AAA log coming from secondary during the primary fault.
    Any ideas?

  • [ACS 5.4] Logs access from secondary server

    Hi,
    I have 2 ACS 5.4 in distributed environment. Everything left to defaults besides policy.
    Let assume ACS-A is the primary and ACS-B is the secondary. Regularly, I'd connect to ACS-A to make changes and WATCH LOGs.
    Now, let assume ACS-A is down. Obviously, I connect to ACS-B and everything works fine, besides logs. When I click on 'logs center', a blank window opens and nothing happens.
    But the URL it tries to open, it's ACS-A.
    Now, from what I saw, ACS-A being the primary box is the log collector for a distributed environment, by default. But how I supposed to watch the logs on a secondary server when primary is down?
    Thank you.

    Hello Alex,
    The following are the supported browsers and it should work fine in all fo them. Please have a look at them:-
    Supported Web Client and Browsers
    You can access the ACS 5.4 administrative user interface using the following web clients and browsers:
    •MAC Platform
    –Mozilla Firefox version 3.x
    –Mozilla Firefox version 10.x
    •Windows 7 32-bit
    •Windows 7 64-bit
    •Windows XP Professional (Service Pack 2 and 3)
    –Internet Explorer version 7.x
    –Internet Explorer version 8.x
    –Internet Explorer version 9.x
    –Mozilla Firefox version 3.x
    –Mozilla Firefox version 8.x
    –Mozilla Firefox version 9.x
    –Mozilla Firefox version 10.x
    The above mentioned browsers are supported only with one of the following cipher suits:
    –-TLS_RSA_WITH_AES_256_CBC_SHA
    –-TLS_RSA_WITH_AES_128_CBC_SHA
    –-RSA_WITH_3DES_EDE_CBC_SHA

  • ACS 5.4 Log Collector

    I am not receiving any tacacs accounting, authentication or authorization entries in my log collector.  I have my secondary server as the collector and it is receiving radius entries but not tacacs.  If I move the collector to the primary server, all works perfect.  Why does the secondary not receive the logs?  The primary is the device that is doing the auth for all devices and it should be sending the logs to the collector.

    Hello,
    Sometimes this can be a DB corruption.
    Change the log collector back to the seconday if you have the same behavior reset the configuration on the secondary ACS and have it register again to the primary. This will make a clean DB on the secondary.
    Make sure you have the secondary ACS license handy.
    If you need specific help let me know and I will be glad to assist.
    Also make sure that the secondary ACS has all the services running and that has the 500 GB of HDD.
    Regards,
    Erdelgad

  • Cisco ACS 5.2 logs

    Hi
    Just looking if anyone know how to delete the accounting/authorization Reports or logs ?
    Screenshot has attached herewith for reference.
    Thanks.
    Regards
    Santosh

    Under System Administration , log configuration, local log target, ther's a spot where you configure for how long you keep the logs in ACS.
    if you change for one day then your logs wiill be deleted, and also ele all the logs.
    But i think this is for all the logs, so if you want to delete these records then you have to delete all of them.
    Anterov

  • Acs:Delete specific log for user X

    Hi Experts
    on the acs 5.2 , how to delete specific log for user X, ?
    thanks
    jamil

    Not sure if this answers the question you are asking but the following option is available:
    Monitoring Configuration > System Configuration > Collection Filters
    Pres "Create" and Syslog Attribute of "User" and set the user name your are interested in
    This option prevents records for this user from being collected. It does not remove any records that have already been collected

  • Clear ACS 5.2 logs

    Hi,
    Is there any way to clear the history log of ACS 5.2 (authentication failed, pass, etc)?
    Thanks!

    Hi Tarik,
    I need to clear the logs because there are some messages from the system alarm collector (database failure) that are very frequent and are filling up all the buffer space. But you can only delete 100 messages at once that is the maximum length of one page.
    It could be useful to have the possibility to delete all the messages of a certain type.

  • No TACACS+ Administration Logging on ACS

    I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;
    aaa accounting command <server group> or <privilege>.
    How do I get this ASA and Windows ACS to collect TACACS+ administration?
    Note: My TACACS+ accounting does collect data on users ssh into the ASA.

    It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.
    Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.
    You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.
    Here's an example of the commands:
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    Hope it helps.

  • ACS 5.5 and disappearing logs

    Hello
    I'm having issues with logging on a Cisco ACS 5.5.0.46 cluster. Cluster has been upgraded from latest 5.3 ACS to 5.5.
    After upgrading to 5.5 logging was working fine. Monitoring and Reports had historical logs and was logging live/current authentications.
    A few weeks back there was an issue outlined in the post below:
    https://supportforums.cisco.com/thread/2264123?tstart=30
    logging on the log collector stopped working. After restarting the logging process in the cluster, logging on the log collector started working again and I restored the missing logs from backup.
    A few days ago the log collector stopped workng again - no logs at all (nothing live or historic. I restarted the log collector ACS VM and it started logging again but logs prior to the restart are missing.
    The ACS cluster is logging to syslog but I really need to have reliable logs on the ACS.
    I'm aware of a recent patch for 5.5 but the release notes don't seem to mention the above issue.
    Is it worth patching 5.5 or roll back to 5.4?
    Thanks
    andy

    Andy,
    Do you have log recovery option enabled under Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Log Message Recovery.
    For more information, go through the below listed link
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.5/user/guide/viewer_sys_ops.html#wp108302
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ACS Accouting Logs

    Is there anyway within ACS to generate logs for just a certain users not all users and to be able to automate this process?

    Accounting logs contain information about the use of remote access services by users. In the HTML interface, all accounting logs can be enabled, configured, and viewed.Refer following URL
    http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204d0d.html#wp986166

  • Upgrade 4.2.0 Build(124) Patch17 to 4.2.1 - ACS folder locked

    I try to upgrade ACS 4.2.0 to 4.2.1. When installation program tries to uninstall current version of ACS it fails with message "The CiscoSecure ACS folder appears to be locked by another application"
    - ACS is installed on Win 2003R2 server.
    -There is no antivirus program installed on the server
    -All application windows (Explorer,...) are closed
    -I'm the only user working on this server
    -ACS log files are reduced to 3 days history.
    ACS is integated with RSA SecurID. Could this be the cause? Should I unistall RSA SecurID?
    Petr

    As per my experience, we generally see this error due to huge accumulation of logs  in ACS installation folder / Install directory.
    Please remove or relocate all the file from following location of ACS install directory and then try to upgrade again
    Once deleted, we can recover these logs again.
    \CSAuth\Logs
    \CSRadius\Logs
    \CSTacacs\Logs
    \CSLog\Logs
    \CSMon\Logs
    \CSAdmin\Logs
    \CSDbsync\Logs
    Also, did we have ACS set to full logging in past?
    Jatin Katyal
    - Do rate helpful posts -

Maybe you are looking for

  • LDB PSJ Selection field CN_ACTVT problem.

    Hi Guys, I recently discovered that in LDB PSJ selection field CN_ACTVT is empty in the program, if program runs in background. Do any body know the work around, so that values are passed into program from the LDB selection screen to the program. Tha

  • Please help me with JACOB: Java-Com Bridge

    While experimenting with Jacob 1.13, I am not even able to run the sample code that comes with the source package. I get an error as below: Exception in thread "main" java.lang.UnsatisfiedLinkError: createInstanceCan you help? And, is there another w

  • General ledger account planning

    Hi SAP Guru's Can any body please hlep me out for General ledger accounting planning? What is general ledger planning accounting? Can any body explain with step by step configuration for the same? Thank in advance Amar

  • Process code in idocs

    WHat is the purpose of the process code in the inbound processing od IDOCS(WE42)

  • Model update error

    Hello i have a list of usernames in a listbox, when i select one user and press the commandbutton i see the id of the user - so far so good. <h:form id="myForm"> <h:selectOneListbox value="#{selectedUserBean.selectedUser}"     converter="User">   <f: