Table Of Contents
Logs and Reports
About ACS Logs and Reports
AAA-Related Logs
ACS Audit Logs
ACS Logging Formats and Targets
CSV Logger
Syslog Logger
ODBC Logger (ACS for Windows only)
Remote Logging for ACS for Windows
Remote Logging for ACS SE with ACS Remote Agents
Dynamic Administration Reports
Entitlement Reports
Service Logs
Configuring ACS Logs
Configuring Critical Loggers
Configuring a CSV Log
Configuring Syslog Logging
Configuring an ODBC Log (ACS for Windows only)
Configuring and Enabling Remote Logging (ACS for Windows only)
Configuring the Remote Logging Server
Configuring ACS to Send Data to a Remote Logger
Configuring Logging to Remote Agents (ACS SE only)
Configuring ACS SE to Send Data to the Remote Agent
Configuring Remote Agent Logs on the Configuration Provider
Configuring Service Logs
Providing Service Logs for Customer Support
Viewing and Downloading Reports
Viewing and Downloading CSV Reports
CSV Log File Names
Viewing a CSV Report
Downloading a CSV Report
Viewing Dynamic Administration Reports
Viewing the Logged-in Users Report
Viewing the Disabled Accounts Report
Viewing the Appliance Status Report
Viewing and Downloading Entitlement Reports
Update Packets in Accounting Logs
Logging Configuration Pages Reference
Logging Configuration Page
Critical Loggers Configuration Page
Remote Logging Setup Page
Remote Agents Reports Configuration Page (ACS SE only)
CSV log File Configuration Page
Syslog log Configuration Page
ODBC log Configuration Page (ACS for Windows only)
Service Control Page Reference
Reports Page Reference
Logs and Reports
The Cisco Secure Access Control Server Release 4.1, hereafter referred to as ACS, produces a variety of logs. You can download many of these logs, or view them in the ACS web interface as HTML reports.
These topics describe how to configure and view ACS logs and reports:
•
About ACS Logs and Reports
•Configuring ACS Logs
•Viewing and Downloading Reports
•Update Packets in Accounting Logs
•Logging Configuration Pages Reference
•Service Control Page Reference
•Reports Page Reference
About ACS Logs and Reports
ACS logs a variety of user and system activities to different formats and targets. These topics describe the information that you can log:
•AAA-Related Logs
•ACS Audit Logs
•ACS Logging Formats and Targets
•Dynamic Administration Reports
•Entitlement Reports
•Service Logs
AAA-Related Logs
AAA-related logs contain information about the use of remote access services by users. Table 10-1 describes all AAA-related logs.
In the web interface, you can enable, configure, and view AAA-related logs, if you have the appropriate permissions.
Table 10-1 AAA-Related Log Descriptions
Log
|
Description
|
TACACS+ Accounting
|
Contains:
•User sessions stop and start times
•AAA client messages with username
•Caller line identification (CLID)
•Session duration
|
TACACS+ Administration
|
Lists configuration commands entered on a AAA client by using TACACS+ (Cisco IOS). Particularly if you use ACS to perform command authorization, we recommend that you use this log.
Note To use the TACACS+ Administration log, you must configure TACACS+ AAA clients to perform command accounting with ACS. The following line must appear in the access server or router configuration file:
aaa accounting commands start-stop tacacs+
|
RADIUS Accounting
|
Contains:
•User sessions stop and start times
•AAA client messages with username
•Caller line identification information
•Session duration
You can configure ACS to include accounting for Voice-over-IP (VoIP) in the RADIUS Accounting log, in a separate VoIP accounting log, or in both places.
|
VoIP Accounting
|
Contains:
•VoIP session stop and start times
•AAA client messages with username
•CLID information
•VoIP session duration
You can configure ACS to include accounting for VoIP in this separate VoIP accounting log, in the RADIUS Accounting log, or in both places.
|
Failed Attempts
|
Lists authentication and authorization failures with an indication of the cause. For posture-validation requests, this log records the results of any posture validation that returns a posture token other than Healthy.
You can use these reports to find out who disabled the account if a given number of failed attempts has been enabled under the expiration information. This can also provide some insight into intrusion attempts and is a valuable tool for troubleshooting.
|
Passed Authentications
|
Lists successful authentication requests. This log does not depend on accounting packets from your AAA clients, so it is available; even if your AAA clients do not support RADIUS accounting or if you have disabled accounting on your AAA clients. For posture-validation requests, this log records the results of all posture-validation requests resulting in an SPT.
|
Logging Attributes
Information is logged as a set of logging attributes. These attributes can be:
•Cisco generic.
•RADIUS generic—See Appendix C, "RADIUS Attributes" for information about these attributes.
•TACACS generic—See Appendix B, "TACACS+ Attribute-Value Pairs" for information about these attributes.
•ACS specific.
Among the many attributes that ACS can record in its logs, a few are of special importance. The following list explains the special logging attributes that ACS provides.
•User Attributes—These logging attributes appear in the Attributes list for any log configuration page. ACS lists them by using their default names: Real Name, Description, User Field 3, User Field 4, and User Field 5. If you change the name of a user-defined attribute, the default name, rather than the new name, still appears in the Attributes list.
The values that you enter in the corresponding fields in the user account determine the content of these attributes. For more information about user attributes, see Customizing User Data, page 2-5.
•ExtDB Info—If the user is authenticated with an external user database, this attribute contains a value that the database returns. In the case of a Windows user database, this attribute contains the name of the domain that authenticated the user.
In entries in the Failed Attempts log, this attribute contains the database that last successfully authenticated the user. It does not list the database that failed the user-authentication attempt.
•Access Device—The name of the AAA client that is sending the logging data to ACS.
•Network Device Group—The network device group to which the access device (AAA client) belongs.
•Filter Information—The result of network access restrictions (NARs) applied to the user, if any. The message in this field indicates whether all applicable NARs permitted the user access, all applicable NARs denied the user access, or more specific information about which NAR denied the user access. If no NARs apply to the user, this logging attribute notes that no NARs were applied.
The Filter Information attribute is available for Passed Authentication and Failed Attempts logs.
•Device Command Set—The name of the device command set, if any, that was used to satisfy a command authorization request.
The Device Command Set attribute is available for Failed Attempts logs.
•Bypass info—Information about the MAC authentication bypass feature. The message in this field indicates whether the MAC address was found or not found.
The Bypass info attribute is available for Failed Attempts and Passed Authentications logs.
•Remote Logging Result—Whether a remote logging service successfully processes a forwarded accounting packet. This attribute is useful for determining which accounting packets, if any, a central logging service did not log. It depends on the receipt of an acknowledgment message from the remote logging service. The acknowledgment message indicates that the remote logging service properly processed the accounting packet according to its configuration. A value of Remote-logging-successful indicates that the remote logging service successfully processed the accounting packet. A value of Remote-logging-failed indicates that the remote logging service did not process the accounting packet successfully.
Note ACS cannot determine how a remote logging service is configured to process accounting packets that it forwarded. For example, if a remote logging service is configured to discard accounting packets, it discards a forwarded accounting packet and responds to ACS with an acknowledgment message. This message causes ACS to write a value of Remote-logging-successful in the Remote Logging Result attribute in the local log that records the account packet.
•Posture-Validation Logging Attributes:
–Application-Posture-Token—The application posture token (APT) that a particular policy returns during a posture-validation request. This attribute is available only in the Passed Authentications and Failed Attempts logs.
–System-Posture-Token—The system posture token (SPT) that a particular policy returns during a posture-validation request. This attribute is available only in the Passed Authentications and Failed Attempts logs.
–Other Posture-Validation Attributes—Attributes that a NAC client sends to ACS during a posture-validation request. The attributes are uniquely identified by the vendor name, application name, and attribute name. For example, the NAI:AV:DAT-Date attribute is an attribute containing information about the date of the DAT file on the NAC client for the antivirus application by Network Associates, Inc. These attributes are available only in the Passed Authentications and Failed Attempts logs.
You can choose to log posture-validation attributes in the Passed Authentications and Failed Attempts logs. All inbound attributes are available for logging. The only two outbound attributes that you can record in logs are Application-Posture-Assessment and System-Posture-Assessment.
All posture-validation requests resulting in a system posture token (SPT), also known as a system posture assessment, are logged in the Passed Authentications log. Posture-validation requests resulting in an SPT of anything other than Healthy are logged in the Failed Attempts log. For more information about posture tokens, see Posture Tokens, page 13-3.
•Authen-Failure-Code attribute for HCAP errors:
When Host Credentials Authentication Protocol (HCAP) fails, the Authen-Failure-Code attribute entry in the Failed Attempts report may display one of the following errors:
–Version failure - Could not communicate with external policy server - wrong HCAP version
–Connection failure - Could not open a connection to external policy server
–Authentication failure - Could not communicate with external policy server - authentication failure
–Timeout error - Could not connect to external policy server - timeout error
–Other - Posture Validation Failure on External Policy
Related Topics
•Configuring ACS Logs
•Viewing and Downloading CSV Reports
ACS Audit Logs
Audit logs contain information about the ACS system and activities and, therefore, record system-related events. These logs are useful for troubleshooting or audits. Comma-separated value (CSV) audit logs are always enabled, and you can enable or disable audit logs to other loggers. You cannot configure the audit log content.
Table 10-2 provides information about each audit log.
Table 10-2 Audit Log Descriptions
Log
|
Description and Related Topics
|
ACS Backup and Restore
|
Lists dates and times that the ACS system information was backed up and restored, and whether the action was successful.
For information about changing the schedule or the location of the backup and restore files, see ACS Backup, page 7-7 and ACS System Restore, page 7-13.
|
RDBMS Synchronization
|
Lists the times the RDBMS database was synchronized and whether the synchronization was manual or scheduled.
For information about changing the RDBMS synchronization schedule, see RDBMS Synchronization, page 8-17.
|
Database Replication
|
Lists the times the ACS Internal Database was replicated to the backup server and whether the replication was manual or scheduled.
For information about changing the database replication schedule, see ACS Internal Database Replication, page 8-1.
|
Administration Audit
|
Lists actions taken by each system administrator, such as adding users, editing groups, configuring a AAA client, or viewing reports.
|
User Password Changes
|
Lists user password changes that users initiate, regardless of which password-change mechanism was used to change the password. Thus, this log contains records of password changes that the ACS Authentication Agent, the User Changeable Password web interface, or the Telnet session made on a network device that is using TACACS+. This log does not list password changes that an administrator makes in the ACS web interface.
|
ACS Service Monitoring
|
Lists when ACS services start and stop.
|
Appliance Administration Audit
|
Lists administrator activity on the serial console, including logins, logouts, and commands executed.
|
Related Topics
•Configuring ACS Logs
•Viewing and Downloading CSV Reports
ACS Logging Formats and Targets
ACS loggers provide logging interfaces to record AAA-related logs and audit logs in different formats, and to different targets. You can use:
•CSV Logger
•Syslog Logger
•ODBC Logger (ACS for Windows only)
•Remote Logging for ACS for Windows
•Remote Logging for ACS SE with ACS Remote Agents
You can configure ACS to log information to more than one logger. For information about configuring logs, see Configuring ACS Logs.
You can configure a critical logger for accounting logs to guarantee delivery of these logs to at least one logger. For more information, see Configuring Critical Loggers.
CSV Logger
The CSV logger records data for logging attributes in columns separated by commas (,). You can import this format into a variety of third-party applications, such as Microsoft Excel or Microsoft Access. After you import data from a CSV file into such applications, you can prepare charts or perform queries, such as determining how many hours a user was logged in to the network during a given period. For information about how to use a CSV file in a third-party application such as Microsoft Excel, see the documentation from the third-party vendor.
Tip Using a CSV file may not work well for every language or locale; for example, when imported into programs such as Word or Excel. You may need to replace the commas (,) with semicolons (;), if necessary.
You can access the CSV files on the ACS server hard drive or you can download the CSV file from the web interface.
CSV Log File Locations
By default, ACS keeps log files in directories that are unique to the log. You can configure the log file location of CSV logs. The default directories for all logs reside in sysdrive:\Program Files\CiscoSecure ACS vx.x. For the subdirectory of this location for a specific log, see Table 10-3.
Table 10-3 Default CSV Log File Locations
Log
|
Default Location
|
TACACS+ Accounting
|
Logs\TACACS+Accounting
|
CSV TACACS+ Administration
|
Logs\TACACS+Administration
|
CSV RADIUS Accounting
|
Logs\RADIUS Accounting
|
CSV VoIP Accounting
|
Logs\VoIP Accounting
|
CSV Failed Attempts
|
Logs\Failed Attempts
|
Passed Authentications
|
Logs\Passed Authentications
|
ACS Backup and Restore
|
Logs\Backup and Restore
|
RDBMS Synchronization
|
Logs\DbSync
|
RDBMS Synchronization
|
Logs\DBReplicate
|
Administration Audit
|
Logs\AdminAudit
|
User Password Changes
|
CSAuth\PasswordLogs
|
ACS Active Service Monitoring
|
Logs\ServiceMonitoring
|
CSV Log Size and Retention
For each CSV log, ACS writes a separate log file. When a log file size reaches 10 MB, ACS starts a new log file. ACS retains the seven most recent log files for each CSV log.
Related Topics
•Configuring a CSV Log
•Viewing and Downloading CSV Reports
Syslog Logger
The ACS syslog logger supports the standard syslog format. You can send log data for any report to up to two syslog servers. You configure the syslog servers for each report individually. You can use syslog to centralize the data from multiple ACSs.
ACS syslog logging follows the standard syslog protocol (RFC 3164). Messages are sent connectionless to syslog servers by using an unsecured UDP port without data encryption.
Note The syslog protocol contains no mechanism to ensure delivery, and since the underlying transport is UDP, message delivery is not guaranteed.
Syslog Message Format
The format of the ACS syslog message content is:
<n> mmm dd hh:mm:ss XX:XX:XX:XX TAG msg_id total_seg seg# A1=V1
where:
•<n>—The Priority value of the message; it is a combination of the facility and severity of the syslog message. The Priority value is calculated according to RFC 3164, by first multiplying the facility value by 8 and then adding the severity value.
ACS syslog messages use the following facility values:
–4 (Auth)—Security and authorization messages. This value is used for all AAA-related messages (failed attempts, passed attempts, accounting, and so on).
–13 (System3)—Log audit. This value is used for all other ACS report messages.
All ACS syslog messages use a severity value of 6 (Info).
For example, if the facility value is 13 and the severity value is 6, the Priority value is 110 ((8 x 13) + 6). The Priority value appears according to the syslog server setup, and might appear as one of:
–System3.Info
–<110>
Note You cannot configure the format of the syslog facility and severity on ACS.
•mmm dd hh:mm:ss—Date and time of the message.
•XX:XX:XX:XX—IP Address of the machine generating this syslog message.
•TAG—A value representing the ACS report name:
–CisACS_01_PassedAuth—Cisco ACS Passed Authentications
–CisACS_02_FailedAuth—Cisco ACS Failed Attempts
–CisACS_03_RADIUSAcc—Cisco ACS RADIUS Accounting
–CisACS_04_TACACSAcc—Cisco ACS TACACS+ Accounting
–CisACS_05_TACACSAdmin—Cisco ACS TACACS+ Administration
–CisACS_06_VoIPAcc—Cisco ACS VoIP Accounting
–CisACS_11_BackRestore—Cisco ACS Backup and Restore log messages
–CisACS_12_Replication—Cisco ACS Database Replication log messages
–CisACS_13_AdminAudit —Cisco ACS Administration Audit log messages
–CisACS_14_PassChanges—Cisco ACS User Password Changes log messages
–CisACS_15_ServiceMon—Cisco ACS Service Monitoring log messages
–CisACS_16_RDBMSSync—Cisco ACS RDBMS Synchronization Audit log messages
–CisACS_17_ApplAdmin—Cisco ACS Appliance Administration Audit log messages
•msg_id—Unique message ID. All segments of one message share the same message ID.
•total_seg—Total number of segments in this message. For more details, see Syslog Message Length Limitations.
•seg#—Segment sequence number within this message segmentation. For more details, see Syslog Message Length Limitations.
•A1=V1—Attribute value pairs delimited by a comma (,) for Cisco ACS log messages and the message itself.
Syslog Message Length Limitations
You can configure the maximum length for ACS syslog messages. We recommend a maximum message length of 1,024 bytes for messages to a standard syslog server; however, the configuration should correspond to the target server specifications.
When an ACS message, including header and data, exceeds the syslog standard length limitation or target length limitation, the message content is split into several segments:
•The message is split between attribute value pairs keeping an attribute value pair complete within the segment, if possible. Each segment ends with the comma (,) delimiter; the next segment starts with the header and then the next attribute value pair.
•All segments of the same message have the same header. The <msg_id> and <total_seg> values are shared between all segments. The <seg#> is set according to the sequence of the segments.
For information about enabling and configuring syslog logs, see Configuring Syslog Logging.
Related Topics
Configuring Syslog Logging
ODBC Logger (ACS for Windows only)
These topics describe ODBC logging and what to do before you configure ODBC logs in ACS:
•About ODBC Logging
•Preparing for ODBC Logging
About ODBC Logging
You can use Open DataBase Connectivity (ODBC) loggers to log directly in an ODBC-compliant relational database, where the logs are stored in tables, one table per log. After the data is exported to the relational database, you can use the data however you need. For more information about querying the data in your relational database, refer to the documentation from the relational database vendor.
Preparing for ODBC Logging
Before you can configure ODBC logs in ACS, you must:
1. Set up the relational database to which you want to export logging data. For more information, refer to your relational database documentation.
2. On the computer that is running ACS, set up a system data source name (DSN) for ACS to communicate with the relational database that will store your logging data.
To set up a system DSN for use with ODBC logging:
Step 1 In the Windows Control Panel, double-click ODBC Data Sources.
Step 2 In the ODBC Data Source Administrator page, click the System DSN tab.
Step 3 Click Add.
Step 4 Select the driver to use with your new DSN, and then click Finish.
A dialog box displays fields requiring information that is specific to the selected ODBC driver.
Step 5 Type a descriptive name for the DSN in the Data Source Name box.
Step 6 Complete the other fields that are required by the selected ODBC driver. These fields may include information such as the IP address of the server on which the ODBC-compliant relational database runs.
Step 7 Click OK.
Step 8 Close the ODBC window and Windows Control Panel.
The System DSN that ACS uses for communicating with the relational database is created on the computer running ACS. The name you assigned to the DSN appears in the Data Source list on each ODBC log configuration page.
Related Topics
Configuring an ODBC Log (ACS for Windows only).
Remote Logging for ACS for Windows
You can use Remote Loggers to centralize AAA-related and audit logs that multiple ACSs generate. You can configure each ACS to point to one or more ACSs to use as a remote logging server. The remote logging ACS still performs AAA functions, but it also is the repository for the logs that it receives.
The Remote Logging feature enables ACS to send data directly to the CSLog service on the remote logging server, where the data is written to the logs. The remote logging server generates the logs in the formats that it is configured to use regardless of the local logging configuration on the ACSs that are sending the data.
ACS listens on TCP port 2001 for remote logging communication. A 128-bit proprietary algorithm encrypts remote logging data.
Note The Remote Logging feature does not affect the forwarding of data for proxied authentication requests. ACS only applies Remote Logging settings to data for sessions that the proxy authenticates when data for sessions that the proxy authenticates is logged locally. For more information about proxied authentication requests and data for sessions that the proxy authenticates, see Configuring Proxy Distribution Tables, page 3-27.
Related Topics
Configuring and Enabling Remote Logging (ACS for Windows only)
Remote Logging for ACS SE with ACS Remote Agents
The Remote Logging feature enables ACS to send data to one or more ACS Remote Agents. The remote agent runs on a computer on your network. It writes the data that ACS sends to it into CSV files. You can configure many ACS Solution Engines to point to a single remote agent, thus making the computer that runs the remote agent a central logging server.
For more information about installing and configuring an ACS Remote Agent, see Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.1.
Note The Remote Logging feature does not affect the forwarding of data for proxied authentication requests. ACS only applies Remote Logging settings to data for sessions authenticated by proxy when accounting data for sessions authenticated by proxy is logged locally. For more information about proxied authentication requests and data for sessions authenticated by proxy, see Configuring Proxy Distribution Tables, page 3-27.
Regardless of how many ACS Solution Engines send their accounting data to the remote agent server, the remote agent receives its configuration from a single ACS Solution Engine. That ACS is the configuration provider for the remote agent. You determine:
•What logs the remote agent keeps.
•What data is recorded for each log kept.
•How the remote agent manages the log files.
Related Topics
Configuring Logging to Remote Agents (ACS SE only)
Dynamic Administration Reports
These reports show the status of user accounts when you access them in the ACS web interface. They are available only in the web interface, are always enabled, and require no configuration.
Table 10-4 contains descriptions of ACS administration reports.
Table 10-4 Dynamic Administration Report Descriptions
Report
|
Description and Related Topics
|
Logged-In Users
|
Lists all users receiving services for a single AAA client or all AAA clients. You can delete logged-in users from specific AAA clients or from all AAA clients.
Users accessing the network with Cisco Aironet equipment appear on the list for the access point that they are currently associated with, provided that the firmware image on the Cisco Aironet Access Point supports sending the RADIUS Service-Type attribute for rekey authentications.
On a computer configured to perform machine authentication, machine authentication occurs when the computer starts. When a computer is started and before a user logs in on that computer, the computer appears on the Logged-In Users List in the Reports and Activity section of the ACS web interface. Once user authentication begins, the computer no longer appears on the Logged-In Users List. For more information about machine authentication, see EAP and Windows Authentication, page 12-10.
Note To use the logged-in user list feature, you must configure AAA clients to perform authentication and accounting by using the same protocol—TACACS+ or RADIUS.
For information about viewing the Logged-in User report in the web interface and deleting logged-in users, see Viewing the Logged-in Users Report.
|
Disabled Accounts
|
Lists all user accounts that are disabled and the reason they were disabled. They might have been manually disabled or disabled automatically based on the aging information defined under User Setup.
For information about viewing the Disabled Accounts report in the web interface, see Viewing the Disabled Accounts Report.
|
Appliance Status
|
Lists information about resource utilization on the ACS Solution Engine. Also displays information about the IP configuration for the ACS Solution Engine and the MAC address of its network interface card.
For information about viewing the Appliance Status report in the web interface, see Viewing the Appliance Status Report.
|
Related Topics
•Viewing Dynamic Administration Reports
Entitlement Reports
These reports provide information about administrator privileges and user mappings to groups. All these reports can be downloaded as text files in CSV format. You can display the reports for individual administrators in the ACS web interface. Entitlement reports are always enabled and require no configuration.
Table 10-5 contains descriptions of ACS entitlement reports.
Table 10-5 Entitlement Report Descriptions
Report
|
Description and Related Topics
|
User Entitlements
|
The user entitlement report provides mappings of users to group. This report lists all users with their group, Network Access Profile (NAP) if relevant, and the mapping type (static or dynamic). You can download this report in CSV format; however, you cannot display it in the ACS web interface because of its potential size.
|
Administrator Entitlements
|
The two types of Administrator Entitlement Reports are:
•Privilege report for all administrators—Lists the privileges of each administrator. You can download this report in CSV format; however, you cannot display it in the ACS web interface because of its potential size.
•Privilege reports for individual administrators—Lists privileges for the selected administrator. You can display reports for individual administrators in the ACS web interface, and you can download them as text files in CSV format.
|
Related Topics
•Viewing and Downloading Entitlement Reports
Service Logs
Service logs are considered diagnostic logs, which you use for troubleshooting or debugging purposes only. These logs are not intended for general use by ACS administrators; instead, they are mainly sources of information for Cisco support personnel. Service logs contain a record of all ACS service actions and activities. When service logging is enabled, each service generates a log whenever the service is running, regardless of whether you are using the service. For example, RADIUS service logs are created even if you are not using the RADIUS protocol in your network. For more information about ACS services, see Chapter 1, "Overview."
Service log files reside in the \Logs subdirectory of the applicable service directory. For example, the following is the default directory for the ACS authentication service:
c:\Program Files\CiscoSecure ACS vx.x\CSAuth\Logs
Services Logged
ACS generates logs for the following services:
•CSAdmin
•CSAuth
•CSDBSync
•CSLog
•CSMon
•CSRadius
•CSTacacs
The most recent debug log is named:
SERVICE.log
where SERVICE is the name that represents the applicable service, for example auth represents the CSAuth service.
Older debug logs are named with the year, month, and date on which they were created. For example, a file that was created on July 13, 1999, would be named:
SERVICE 1999-07-13.log
where SERVICE is the name that represents the applicable service.
If you selected the Day/Month/Year format, the file would be named:
SERVICE 13-07-1999.log
For information about changing the date format, see Date Format Control, page 7-3.
Related Topics
Configuring Service Logs
Configuring ACS Logs
You can enable and configure logging for individual logs. ACS can log information to multiple loggers simultaneously.
The starting point for enabling and configuring service logs is the Service Control page, which you access by choosing System Configuration > Service Control. The starting point for enabling and configuring all other logs and loggers is the Logging Configuration page, which you access by choosing System Configuration > Logging. The Logging Configuration page also displays which ACS logs are currently enabled.
These topics describe how to configure and enable ACS logs:
•Configuring Critical Loggers
•Configuring a CSV Log
•Configuring Syslog Logging
•Configuring an ODBC Log (ACS for Windows only)
•Configuring and Enabling Remote Logging (ACS for Windows only)
•Configuring Logging to Remote Agents (ACS SE only)
•Configuring Service Logs
•Providing Service Logs for Customer Support
Configuring Critical Loggers
You can configure a critical logger for accounting logs to guarantee delivery of these logs to at least one logger.
When you configure a critical logger, the reply that ACS sends to an authenticating device depends on the success or failure of logging the relevant message to the critical logger only. ACS sends the message to other loggers off-stream, (best effort but not guaranteed), which does not affect the authentication result. (For all other AAA-related reports, such as failed attempts, passed authentications and TACACS+ administration, logging is done off-stream, and does not affect the authentication attempt result.)
You can configure a different critical logger for each accounting report; the default critical logger for each report is the local CSV log. If you do not select a critical logger, delivery of accounting messages is not guaranteed.
Note We do not recommend that you configure a syslog logger as a critical logger; because, according to syslog standards, syslog message logging is not guaranteed.
To configure a critical logger for accounting reports:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Logging.
The Logging Configuration page appears.
Step 3 Click Critical Loggers Configuration.
The Critical Loggers Configuration page appears.
Step 4 Select a critical logger for each accounting report. For more information about the options for selecting critical loggers, see Critical Loggers Configuration Page.
Step 5 Click Submit.
ACS implements the specified critical loggers configuration.
Note If a critical logger is chosen but the specified log is disabled, ACS will not implement critical logging for the specific report.
Configuring a CSV Log
You can configure ACS to record AAA-related logs and audit logs to a CSV logger.
To configure a CSV log:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Logging. The Logging Configuration page appears.
Step 3 In the ACS Reports table, click Configure for the CSV log that you want to configure.
The CSV log File Configuration page appears, where log is the name of the CSV log that you selected.
Step 4 To enable or disable the log, under Enable Logging, check or uncheck the Log to log report check box, where log is the name of the selected log.
Step 5 For AAA-related reports, configure the attributes that you want ACS to log. For more information about the options for configuring attributes, see CSV log File Configuration Page.
Step 6 (ACS for Windows only) Specify file management options for the CSV files. For more information about the file management options, see CSV log File Configuration Page.
Step 7 Click Submit.
ACS implements the specified CSV log configuration.
Related Topics
Viewing and Downloading CSV Reports
Configuring Syslog Logging
You can configure ACS to record AAA-related logs and audit logs to a syslog logger.
To configure a syslog log:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Logging. The Logging Configuration page appears.
Step 3 In the ACS Reports table, click Configure for the syslog log that you want to configure.
The log Configuration page appears, where log is the name of the syslog log that you selected.
Step 4 To enable or disable the log, under Enable Logging, check or uncheck the Log to log report check box, where log is the name of the selected log.
Step 5 For AAA-related reports, configure the attributes that you want ACS to log. For more information about the options for configuring attributes, see Syslog log Configuration Page.
Step 6 Configure the syslog servers to which you want to send the syslog messages. For more information about the options for configuring syslog servers, see Syslog log Configuration Page.
Step 7 Click Submit.
ACS implements the specified syslog log configuration.
Configuring an ODBC Log (ACS for Windows only)
You can configure ACS to record AAA-related logs and audit logs to an ODBC logger. You can configure the SQL create table statement before or after configuring the ODBC log in ACS.
Note Before you can configure an ODBC log, you must prepare for ODBC logging. For more information, see Preparing for ODBC Logging.
To configure an ODBC log:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Logging. The Logging Configuration page appears.
Step 3 In the ACS Reports table, click Configure for the ODBC log that you want to configure.
The ODBC log Configuration page appears, where log is the name of the ODBC log you selected.
Step 4 To enable or disable the log, under Enable Logging, check or uncheck the Log to log report check box, where log is the name of the selected log.
Step 5 For AAA-related reports, configure the attributes that you want ACS to send to the relational database. For more information about the options for configuring attributes, see ODBC log Configuration Page (ACS for Windows only).
Step 6 Configure ACS to communicate with the ODBC database. For more information about Connection Settings options, see ODBC log Configuration Page (ACS for Windows only).
Step 7 Click Submit.
ACS saves the log configuration. The Logging Configuration page appears.
To configure an SQL create table statement:
Step 1 In the Logging Configuration page, click Configure for the ODBC log that you are configuring.
The ODBC log configuration page appears.
Step 2 To display a SQL create table statement, click Show Create Table.
A SQL create table statement for Microsoft SQL Server appears in the right panel of the ACS window. The table name is the name that is specified in the Table Name field. The column names are the attributes that are specified in the Logged Attributes list.
Note The generated SQL is valid for Microsoft SQL Server only. If you are using another relational database, refer to your relational database documentation for information about writing a command to create a table.
Step 3 Using the information provided in the generated SQL, create a table in your relational database for this ODBC log. For ODBC logging to work, the table name and the column names must exactly match the names in the generated SQL.
When you enable the log, ACS begins sending logging data to the relational database table that you created by using the system DSN that you configured.
Configuring and Enabling Remote Logging (ACS for Windows only)
You can configure remote logging for AAA-related logs and audit logs. You must first configure the remote logging server, and then configure remote logging on each ACS that will send information to the remote logging server.
These topics describe how to set up remote logging:
•Configuring the Remote Logging Server
•Configuring ACS to Send Data to a Remote Logger
Configuring the Remote Logging Server
Before You Begin
•On a computer that you want to use as a remote logging server to store all logging data, install ACS. For information about installing ACS, see the Installation Guide for Cisco Secure ACS for Windows, Release 4.1.
•Ensure that gateway devices between the ACSs that are sending data and the remote logging ACS server permit the remote logging ACS server to receive data on TCP port 2001.
To configure the remote logging server:
Step 1 Configure and enable the individual logs as needed. All data that is sent to the remote logging server will be recorded in the way that you configure logs on this ACS. For information about:
•Configuring CSV logs, see Configuring a CSV Log.
•Configuring syslog logs, see Configuring Syslog Logging.
•Configuring ODBC logs, see Configuring an ODBC Log (ACS for Windows only).
Note You can configure Remote Logging on the remote logging server so that it will send all data to another remote logging server. However, you must use this option with caution; otherwise, you might create an endless logging loop.
Step 2 To the AAA Servers table, add each ACS from which the remote logging server will receive logging data. For more information, see Configuring AAA Servers, page 3-14.
Note If the remote logging server logs watchdog and update packets for an ACS, you must check the Log Update/Watchdog Packets from this remote AAA Server check box for that ACS in the AAA Servers table.
If you want to implement remote logging on other remote logging servers for use as secondary servers or as mirrored logging servers, repeat this procedure for each additional remote logging server.
Related Topics
Configuring ACS to Send Data to a Remote Logger
Configuring ACS to Send Data to a Remote Logger
Note Before configuring the Remote Logging feature on each ACS server that will send data to the remote logging server, ensure that you have configured your remote logging ACS server. For more information, see Configuring the Remote Logging Server.
On each ACS that will send data to the remote logging server:
Step 1 Add the remote logging server to the AAA Servers table. For more information, see Configuring AAA Servers, page 3-14. If you have created multiple remote logging servers, repeat this step for each remote logging server.
Step 2 In the navigation bar, click System Configuration.
Step 3 Click Logging.
The Logging Configuration page appears.
Step 4 Click Remote Logging Servers Configuration.
The Remote Logging Setup page appears.
Step 5 Set the applicable Remote Logging Services Configuration options. For information about these options, see Remote Logging Setup Page.
Step 6 Click Submit.
ACS saves and implements the remote logging configuration that you specified.
Related Topics
•Configuring the Remote Logging Server
Configuring Logging to Remote Agents (ACS SE only)
You can configure remote logging of AAA-related logs and audit logs to installed ACS remote agents.
For more information about installing and configuring an ACS Remote Agent, see Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.1.
The following steps are required to set up remote logging:
1. On each ACS SE, add the remote agent. For more information, see Configuring Remote Agents (ACS Solution Engine Only), page 3-18.
2. Configure each ACS SE to send logs to the remote agent. For more information, see Configuring ACS SE to Send Data to the Remote Agent.
3. On the ACS SE that the remote agent is configured to use as its configuration provider, configure log content and log-file management for all logs recorded on the remote agent. For more information, see Configuring Remote Agent Logs on the Configuration Provider.
You can set up remote logging to another remote agent, for use as a secondary server or as a mirror server by repeating these steps.
Configuring ACS SE to Send Data to the Remote Agent
You configure each local ACS SE to send data to the remote agent. Local configuration of remote logging does not affect the types of logs sent to remote agents or the configuration of the data included in logs sent to remote agents. For information about configuring which logs are sent to remote agents and the data the logs contain, see Configuring Remote Agent Logs on the Configuration Provider.
Before You Begin
Install and configure the remote agent before configuring the Remote Logging feature on each ACS SE that will send data to the remote agent.
On each ACS SE that will send data to the remote agent:
Step 1 Add the remote agent on ACS SE. For more information, see Configuring Remote Agents (ACS Solution Engine Only), page 3-18.
Step 2 In the navigation bar, click System Configuration.
Step 3 Click Logging.
The Logging Configuration page appears.
Step 4 Click Remote Logging Servers Configuration.
The Remote Logging Setup page appears.
Step 5 Set the applicable Remote Logging Services Configuration options. For information about these options, see Remote Logging Setup Page.
Step 6 Click Submit.
ACS saves and implements the remote logging configuration that you specified.
Related Topics
Configuring Remote Agent Logs on the Configuration Provider
Configuring Remote Agent Logs on the Configuration Provider
On the configuration provider, you configure which logs will be stored on the remote agent, the log content, and how the remote agent will manage the log files.
For information about specifying to which remote agents ACS sends log data, see Configuring ACS SE to Send Data to the Remote Agent.
To configure a CSV log for a remote agent:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Logging.
The Logging Configuration page appears
Step 3 Click Remote Agent Reports Configuration.
The Remote Agent Reports Configuration page appears.
Step 4 Click Configure for the remote logging report that you want to configure.
The CSV log File Configuration page appears, where log is the name of the remote agent log that you selected.
Step 5 To enable or disable the log, check or uncheck the Log to CSV log name report check box, where log is the name of the remote agent log that you selected.
Step 6 For AAA-related reports, configure the attributes that you want ACS to log. For more information about the options for configuring attributes, see CSV log File Configuration Page.
Step 7 Specify file management options for the CSV files. For more information about the file management options, see CSV log File Configuration Page.
Step 8 Click Submit.
ACS implements the remote agent log configuration that you specified.
Related Topics
Configuring ACS SE to Send Data to the Remote Agent
Configuring Service Logs
To configure how ACS generates and manages the service log file:
Step 1 In the navigation bar, click System Configuration.
Step 2 Click Service Control.
The status of the services appears in ACS on hostname table, where hostname is the name of the computer that is running ACS.
Step 3 Set service log options in the Services Log File Configuration page. For information about the options in this page, see Service Control Page Reference.
To disable the service log file, under Level of Detail, select the None option.
Step 4 Click Restart.
ACS restarts its services and implements the service log settings that you specified.
Related Topics
Providing Service Logs for Customer Support
Providing Service Logs for Customer Support
To provide customer support with enough data to research potential issues, set the Level of Detail to Full in the Services Log File Configuration page. See Service Control Page Reference for more details. Ensure that you have sufficient disk space to handle your log entries.
If a problem exists on your ACS, customer support will ask you to create a package.cab file. The package.cab file contains various files including:
•Certificate files—The ACS server certificate, as well as the certificate's CA.
•Admin.txt—Contains information regarding ACS administrators.
•Host.txt and HostServices.txt—Contain information regarding hosts and hosts configuration.
•NDG.txt—Contains configured network device groups.
•DictionaryKey.txt and DictionaryValue.txt—Contains ACS dictionary files.
To create a package.cab file:
Step 1 At the command prompt, type drwtsn32.
Check the Dr. Watson settings to be sure the Dump Symbol Table and Dump All Thread Contents options are selected in addition to the default options.
Step 2 Go to the bin subdirectory in the directory in which ACS was installed.
Step 3 Type CSSupport.exe.
Run the executable with all default options. The program will collect all the necessary information including Dr. Watson logs and place them in a file called package.cab. The location of the file appears when the executable is finished.
The Support feature in the System Configuration section of the ACS web interface includes service logs in the package.cab file that it generates if you click Run Support Now. For information about this feature, see Support Page (ACS Solution Engine Only), page 7-23.
Note When creating a package.cab file that is larger than 2GB, additional .cab files are created due to the size limit of the packer. The first package name is package.cab, the second is package1.cab, and so on, until the N package, packageN.cab, where N is the number of packages minus one. The files are saved in the same location that is specified before the packing begins. These files are not standalone and all of them must be sent to package. Problems with the packed file (package.cab) may arise if there is not enough hard-disk space.
Related Topics
Configuring Service Logs
Viewing and Downloading Reports
The starting point for viewing and downloading reports is the Reports page, which you access from Reports and Activity in the navigation bar. See Reports Page Reference for a list of all the reports that can be accessed from this page.
Note The RDBMS Synchronization report and the Database Replication report are available only if those options are enabled in Interface Configuration > Advanced Options.
These topics describe how to view reports in the ACS web interface, and how to download reports:
•Viewing and Downloading CSV Reports
•Viewing Dynamic Administration Reports
•Viewing and Downloading Entitlement Reports
Viewing and Downloading CSV Reports
These topics describe how to view and download ACS CSV reports:
•CSV Log File Names
•Viewing a CSV Report
•Downloading a CSV Report
CSV Log File Names
When you access a report in Reports and Activity, ACS lists the CSV files in chronological order, with the current CSV file at the top of the list. The current file is named log.csv, where log is the name of the log.
Older files are named as:
where:
log is the name of the log.
yyyy is the year that the CSV file was started.
mm is the month that the CSV file was started, in numeric characters.
dd is the date that the CSV file was started.
For example, a Database Replication log file that was generated on October 13, 2002, would be named Database Replication 2002-10-13.csv.
Related Topics
•Viewing a CSV Report
•Downloading a CSV Report
Viewing a CSV Report
You can view the contents of CSV reports in the ACS web interface. You can sort the table by entries in the column, and you can filter CSV log reports.
Filtering criteria includes a regular expression, a time range, or both:
•Regular expression-based filtering checks that at least one of each column's value, per row, matches the provided regular expression. When you use regular-expression filtering, ACS traverses each column and displays only the rows that match the filtering criteria.
•You can use time-based filtering by specifying values for a Start Date & Time and an End Date & Time. Rows dated within the specified time range appear.
When you enter a regular expression and use time-based filtering as well, the report will include only the rows that match both criteria.
To view a CSV report:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click the name of the CSV report that you want to view.
On the right side of the browser, ACS lists the current CSV report filename and the filenames of any old CSV report files.
Step 3 Click the CSV report filename whose contents you want to view.
If the CSV report file contains information, the information appears in the display area.
Step 4 To check for newer information in the current CSV report, click Refresh.
Step 5 Use the Next and Previous buttons to navigate forward and backward through the report pages.
Step 6 To sort the table by entries in the column, in ascending or descending order. Click a column title once to sort the table by that column's entries in ascending order. Click the column a second time to sort the table by that column's entries in descending order.
Step 7 To specify filtering criteria and apply the filter to the log file's content:
a. In the Regular Expression text box enter a string value. The expression can be up to 100 characters long. See Table 10-6 for Regular Expression characters and their syntax definitions.
b. In the Start Date & Time and End Date & Time text boxes, enter string values. The date and time format is dd/mm/yyyy,hh:mm:ss or mm/dd/yyyy,hh:mm:ss as defined in the ACS system configuration for the date format.
c. In the Rows per Page box choose the number of rows to display per page. (The default is 50.)
d. Click Apply Filter. The ACS web server will apply the specified filtering criteria to the report file and display the filtered results in the report's table.
e. Click Clear Filter to reset filtering parameters to their default values. Use this option to display the entire report unfiltered.
Table 10-6 Regular Expression Syntax Definitions
Character
|
Regular Expression Use
|
^
|
A caret (^) matches to the beginning of the string. Referred to as "begins with."
For example, ^A will match ABc, A123, but not 1A234. See the last table entry for another caret usage.
|
$
|
The dollar sign ($) matches the end of the string. Referred to as "ends with."
For example, yz$ will match strings ending with xyz, 0123yz, but not 12yzA.
|
\
|
The backslash (\) matches a given string at any location. Referred to as "contains."
A backslash is also used for expressing 'special characters' in a given regular expression (For example, \+ will match against the plus sign (+), to differentiate from the plus sign (+) usage in regular expressions.
|
.
|
The dot (.) matches any character.
|
*
|
The asterisk (*) indicates that the character to the left of the asterisk in the expression should match for any number of instances (that is, 0 or more times).
|
+
|
The plus sign (+) is similar to the asterisk (*) but at least one match of the character should appear to the left of the plus sign (+) in the expression.
|
?
|
The question mark (?) matches the expression or character to its left 0 or 1 times.
|
|
|
The pipe (|) allows the expression on either side of it to match the target string.
For example, A|a matches against A as well as a.
|
-
|
The hyphen (-) indicates a range of values. For example, a-z.
|
()
|
The parentheses are used for grouping of expressions and affect the order of pattern evaluation.
|
[]
|
Brackets ([ ]) enclosing a set of characters indicate that any of the enclosed characters may match the target character. Values in brackets can be one or more characters, or ranges. For example, [02468], [0-9].
|
[^
|
When a caret (^) immediately follows a left bracket ([), it excludes the remaining characters within brackets from matching the target string. For example, [^0-9] indicates that the target character is alpha rather than numeric.
|
Related Topics
•CSV Log File Names
•Downloading a CSV Report
Downloading a CSV Report
You can download the CSV file for any CSV report that you view in ACS.
After downloading a CSV log file, you can import it into spreadsheets by using most popular spreadsheet application software. Refer to your spreadsheet software documentation for instructions. You can also use a third-party reporting tool to manage report data. For example, aaa-reports! by Extraxi supports ACS.
To download a CSV report:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click the name of the required CSV report.
On the right side of the browser, ACS lists the current CSV report filename and the filenames of any old CSV report files.
Step 3 Click the CSV report filename that you want to download.
If the CSV report file contains information, the information appears in the display area in the right pane.
Step 4 In the right pane of the browser, click Download.
The browser displays a dialog box for accepting and saving the CSV file.
Step 5 Choose a location where you want to save the CSV file, and click Save to save the file.
Related Topics
•CSV Log File Names
•Viewing a CSV Report
Viewing Dynamic Administration Reports
These topics describe how to view and use dynamic administration reports:
•Viewing the Logged-in Users Report
•Viewing the Disabled Accounts Report
•Viewing the Appliance Status Report
Viewing the Logged-in Users Report
Note The Logged-In Users report might take up to 20 seconds to open. Specific user information might take up to several minutes to appear.
You can view the Logged-in Users report in the ACS web interface.
Note This list of users is cleared and restarted anytime ACS services are restarted. This list contains the names of users who logged in since the last time ACS was started; unless the list has been purged manually.
From this report, you can instruct ACS to delete users who are logged in to a specific AAA client. When a user session terminates without a AAA client sending an accounting stop packet to ACS, the Logged-in Users Report continues to show the user. Deleting logged-in users from a AAA client ends the accounting for those user sessions.
Note Deleting logged-in users terminates only the ACS accounting record of users who are logged in to a particular AAA client. It does not terminate active user sessions, nor does it affect user records.
To view the Logged-in Users report:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click Logged-in Users.
The Select a AAA Client page displays the name of each AAA client, its IP address, and the number of users who are logged in through the AAA client. At the bottom of the table, the All AAA Clients entry shows the total number of users who are logged in.
Step 3 To see a list of all users who are logged in, click All AAA Clients.
Step 4 To see a list of users who are logged in through a particular AAA client, click the name of the AAA client.
For each list of users, ACS displays tabular information on all users who are logged in, including:
•Date and Time
•User
•Group
•Assigned IP
•Port
•Source AAA Client
Tip To print this list, click anywhere in the right window and print the window from your browser.
Step 5 To sort the table by any column's entries, in ascending or descending order. Click a column title once to sort the table by the entries in that column in ascending order. Click the column a second time to sort the table by the entries in that column in descending order.
Step 6 To purge users who are logged in through a particular AAA client:
a. Click the name of the AAA client.
ACS displays a table of all users who are logged in through the AAA client. The Purge Logged in Users button appears below the table.
b. Click Purge Logged in Users.
ACS displays a message, which shows the number of users who are purged from the report and the IP address of the AAA client.
Viewing the Disabled Accounts Report
To view the Disabled Accounts report:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click Disabled Accounts.
The Select a user account to edit page displays disabled user accounts, the account status, and the group to which the user account is assigned.
Tip To print this list, click anywhere in the right window and print the window from your browser.
Step 3 To edit a user account listed, in the User column, click the username.
ACS opens the user account for editing.
For more information about editing a user account, see Basic User Setup Options, page 6-2.
Viewing the Appliance Status Report
To view the Appliance Status report:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click Appliance Status Page.
The Appliance Status report appears in the right pane of the browser.
Tip To print this list, click anywhere in the right window and print the window from your browser.
Viewing and Downloading Entitlement Reports
You can download the CSV User Entitlement report file of mappings of users to groups. You can download a report of all administrators and their privileges as well as reports or privileges for each individual administrator. You can also view the reports for individual administrators in the ACS web interface.
To view and download entitlement reports:
Step 1 In the navigation bar, click Reports and Activity.
Step 2 Click Entitlement Reports.
The Entitlement Reports page appears.
Step 3 To download the User Entitlement report:
a. Click Download report for mappings of users to groups.
The browser displays a dialog box for accepting and saving the CSV file.
b. Choose a location where you want to save the CSV file, and click Save.
Step 4 To download the privilege report for all administrators:
a. Click Download Privilege Report for All Administrators.
The browser displays a dialog box for accepting and saving the CSV file.
b. Choose a location where you want to save the CSV file, and click Save.
Step 5 To view and download the privilege report for an individual administrator:
a. Click Privilege Report for Admin, where Admin is the name of the administrator account.
The report appears in the right pane of the browser.
Tip To print this list, click anywhere in the right pane and print the window from your browser.
b. To download the CSV log file, click Download in the right pane of the browser.
The browser displays a dialog box for accepting and saving the CSV file.
c. Choose a location where you want to save the CSV file, and click Save.
Update Packets in Accounting Logs
Whenever you configure ACS to record accounting data for user sessions, ACS records start and stop packets. If you want, you can configure ACS to record update packets, too. In addition to providing interim accounting information during a user session, update packets drive password-expiry messages via the ACS Authentication Agent. In this use, the update packets are called watchdog packets.
Note To record update packets in ACS accounting logs, you must configure your AAA clients to send the update packets. For more information about configuring your AAA client to send update packets, refer to the documentation for your AAA clients.
•Logging Update Packets Locally—To log update packets according to the local ACS logging configuration, enable the Log Update/Watchdog Packets from this Access Server option for each AAA client in Network Configuration.
For more information on setting this option for a AAA client, see Adding AAA Clients, page 3-11.
•Logging Update Packets Remotely—To log update packets on a remote logging server, enable the Log Update/Watchdog Packets from this remote AAA Server option for the remote server AAA Server table entry on the local ACS.
For more information on setting this option for a AAA server, see Adding AAA Servers, page 3-16.
Logging Configuration Pages Reference
The following topics describe the logging configuration pages.
•Logging Configuration Page
•Critical Loggers Configuration Page
•Remote Logging Setup Page
•Remote Agents Reports Configuration Page (ACS SE only)
•CSV log File Configuration Page
•Syslog log Configuration Page
•ODBC log Configuration Page (ACS for Windows only)
Logging Configuration Page
The Logging Configuration page is the starting point for configuring loggers and individual logs.
To open this page, choose System Configuration > Logging.
Related Topics
•Configuring ACS Logs
•Remote Logging for ACS for Windows
•Remote Logging for ACS SE with ACS Remote Agents
Critical Loggers Configuration Page
Use the Critical Loggers Configuration page to configure critical loggers for accounting logs to guarantee delivery of these logs to at least one logger.
To open this page, choose System Configuration > Logging. In the Logging Configuration Page, click the Critical Loggers Configuration link.
Table 10-8 Critical Loggers Configuration Page
Option
|
Description
|
RADIUS accounting critical logger
|
Specifies the critical logger for RADIUS accounting logs.
|
TACACS+ accounting critical logger
|
Specifies the critical logger for TACACS+ accounting logs.
|
VoIP accounting critical logger
|
Specifies the critical logger for VoIP accounting logs.
|
Note We do not recommend that you configure a syslog logger as a critical logger; because, according to syslog standards, syslog message logging is not guaranteed.
Related Topics
Configuring Critical Loggers
Remote Logging Setup Page
Use the Remote Logging Setup page to configure to which remote loggers to send logs from the local ACS.
To open this page, choose System Configuration > Logging. In the Logging Configuration Page, click the Remote Logging Servers Configuration link.
Table 10-9 Remote Logging Setup Page
Option
|
Description
|
Do not log remotely
|
Disables logging to remote loggers.
|
Log to all selected remote log services
|
Sends logging data to all remote loggers in the Selected Log Services list.
|
Log to subsequent remote log services on failure
|
Sends logging information for this ACS server to one remote logger. ACS logs to the first accessible remote logger in the Selected Log Services list.
Use this option when you want to configure ACS to send logging data to the next remote logger in the Selected Log Services list only if the first remote logger fails.
|
Log Services lists
|
These lists contain the ACS servers that are configured in the AAA Services table.
The right (->) and left (<-) arrow buttons add and remove logging services to and from the Selected Log Services list.
The Up and Down buttons order the logging services in the Selected Log Services list.
|
Related Topics
•Remote Logging for ACS for Windows
•Remote Logging for ACS SE with ACS Remote Agents
Remote Agents Reports Configuration Page (ACS SE only)
Use the Remote Agent Reports Configuration page on the ACS SE that the remote agent is configured to use as its configuration provider, to configure log content and log file management for all logs recorded on the remote agent.
To open this page, choose System Configuration > Logging. In the Logging Configuration Page, click the Remote Agent Reports Configuration link.
Table 10-10 Logging Configuration Page
Option
|
Description
|
Remote Logging Reports table
|
Displays which logs are enabled for the remote agent. The Configure links open the individual configuration page for each log.
|
Related Topics
Configuring Remote Agent Logs on the Configuration Provider
CSV log File Configuration Page
Use the CSV log File Configuration page to enable logging to an individual local or remote CSV logger, and configure the content and file management of that log.
To open this page, choose System Configuration > Logging. In the Reports Configurations tables, click Configure for a log in the CSV column.
For an ACS SE configuration provider, to enable remote logging to a remote agent, click Remote Agent Reports Configuration, then click Configure for a log.
Note For ACS SE, there are no configurable options for local CSV Audit logs.
Table 10-11 CSV log File Configuration Page
Option
|
Description
|
Enable Logging
|
Contains the option to enable or disable the log.
|
Log to CSV log report check box
|
Enables or disables logging to the selected logger.
Note This check box is grayed out for CSV Audit logs, which are always enabled.
|
Configure Log Content
(AAA-related reports only)
|
Contains the options to specify which attributes will be logged.
|
Select Columns to Log
|
The Attribute list contain attributes that have not been selected for logging. The Logged Attributes list contains attributes that have been selected for logging.
The right (->) and left (<-) arrow buttons add and remove attributes to and from the Logged Attributes list.
The Up and down buttons order the attributes in the Logged Attributes list.
|
Reset Columns button
|
Sets the attributes in the Logged Attributes list back to the default selections.
|
Log File Management
(ACS for Windows and Remote Agent Reports configuration only)
|
Contains log file management options.
|
Generate New File
|
Specifies when ACS or the remote agent should generate a new CSV file:
•Every day—At 12:01 A.M. local time every day.
•Every week—At 12:01 A.M. local time every Sunday.
•Every month—At 12:01 A.M. on the first day of every month.
•When size is greater than x KB—When the current file reaches the size, which you enter in kilobytes, in the X box.
|
Directory
|
The directory to which ACS or the remote agent writes the CSV log file. We recommend that you specify the full path including drive letter, otherwise the file location will be relative to the installation directory. If the remote agent server uses Sun Solaris, the path must begin at the root directory, such as /usr/data/acs-logs.
|
Manage Directory
|
Manages which CSV files are retained.
|
Keep only the last X files
|
Limits the number of CSV files that are retained. Enter the maximum number of files you want to retain in the X box.
|
Delete files older than X days
|
Limits the age of the CSV files that are retained. Enter the number of days to retain a CSV file before deleting it.
|
Related Topics
•Configuring a CSV Log
•Configuring the Remote Logging Server
•Configuring Remote Agent Logs on the Configuration Provider
Syslog log Configuration Page
Use the Syslog log File Configuration page to enable logging to up to two syslog loggers, and configure the content of those logs.
To open this page, choose System Configuration > Logging. In the Reports Configurations tables, click Configure for a log in the Syslog column.
Table 10-12 Syslog log File Configuration Page
Option
|
Description
|
Enable Logging
|
Contains the option to enable or disable the log.
|
Log to syslog log report check box
|
Enables or disables logging to the selected logger. The default is disabled.
|
Configure Log Content
(AAA-related reports only)
|
Contains the options to specify which attributes will be logged.
|
Select Columns to Log
|
The Attribute list contain attributes that have not been selected for logging. The Logged Attributes list contains attributes that have been selected for logging.
The right (->) and left (<-) arrow buttons add and remove attributes to and from the Logged Attributes list.
The Up and down buttons order the attributes in the Logged Attributes list.
|
Reset Columns button
|
Sets the attributes in the Logged Attributes list back to the default selections.
|
Syslog Servers
|
Contains options to configure up to two syslog logging servers.
|
IP
|
Specifies the IP addresses of the syslog servers.
|
Port
|
Specifies the ports of the syslog servers to which log messages will be sent.
|
Max message length (bytes)
|
Specifies the maximum message length of syslog messages, in bytes. The default length, which is the recommended length for a standard syslog server, is 1024 bytes. If the syslog is used as a proxy you can reduce the message length to allow some room for the proxy headers.
The minimum value allowed is 200 bytes.
|
Related Topics
•Configuring Syslog Logging
•Configuring the Remote Logging Server
ODBC log Configuration Page (ACS for Windows only)
Use the ODBC log Configuration page to enable logging to an individual ODBC logger, and configure the content and connection settings for ACS to the ODBC database.
To open this page, choose System Configuration > Logging. In the Reports Configurations tables, click the icon by the name of a log in the ODBC column.
Table 10-13 ODBC log Configuration Page
Option
|
Description
|
Enable Logging
|
Contains the option to enable or disable the log.
|
Log to ODBC log report check box
|
Enables or disables logging to the selected logger. The default is disabled.
|
Configure Log Content
(AAA-related reports only)
|
Contains the options to specify which attributes will be logged.
|
Select Columns to Log
|
The Attribute list contain attributes that have not been selected for logging. The Logged Attributes list contains attributes that have been selected for logging.
The right (->) and left (<-) arrow buttons add and remove attributes to and from the Logged Attributes list.
The Up and down buttons order the attributes in the Logged Attributes list.
|
Reset Columns button
|
Sets the attributes in the Logged Attributes list back to the default selections,
|
ODBC Connection Settings
|
Contains options for ACS to communicate with the ODBC database.
|
Data Source list
|
The system DSN that you created to allow ACS to send ODBC logging data to your relational database.
|
Username
|
The username of a user account in your relational database (up to 80 characters).
Note The user must have sufficient privileges in the relational database to write the ODBC logging data to the appropriate table.
|
Password
|
The password (up to 80 characters) for the specified relational database user account
|
Table Name
|
The name (up to 80 characters) of the table to which you want ODBC logging data appended.
|
Create Table Statement
|
Contains the option to display a SQL create table statement.
|
Show Create Table button
|
Displays a SQL create table statement for Microsoft SQL Server. The statement appears in the right panel of the ACS window.
The table name is the name that is specified in the Table Name field. The column names are the attributes that are specified in the Logged Attributes list.
Note The generated SQL is valid for Microsoft SQL Server only. If you are using another relational database, refer to your relational database documentation for information about writing a command to create a table.
|
Related Topics
•Configuring an ODBC Log (ACS for Windows only)
•Configuring the Remote Logging Server
Service Control Page Reference
Use the Services Log File Configuration page to enable or disable logging of services logs, and configure the detail and file management of that log.
To open this page, choose System Configuration > Service Control.
You must click the Restart button for these options to take effect.
Table 10-14 Services Log File Configuration Page
Option
|
Description
|
Cisco Secure ACS on <server>
|
Displays whether ACS services are running or stopped.
|
Services Log File Configuration
|
Contains options to enable, disable, and configure logging of services.
|
Level of Detail
|
Disables logging, or sets the level of logging:
•None—No log file is generated.
•Low—Only start and stop actions are logged. This is the default setting.
•Full—All services actions are logged. Use this option when collecting data for customer support. This option provides customer support with enough data to research potential issues. Ensure that you have sufficient disk space to handle your log entries.
|
Log File Management
(ACS for Windows only)
|
Contains log file management options.
|
Generate New File
|
Select when ACS or the remote agent should generate a new CSV file:
•Every day—At 12:01 A.M. local time every day.
•Every week—At 12:01 A.M. local time every Sunday.
•Every month—At 12:01 A.M. on the first day of every month.
•When size is greater than x KB—When the current file reaches the size, that you enter, in kilobytes, in the X box.
|
Manage Directory
|
Check to manage which CSV files are retained.
|
Keep only the last X files
|
Select to limit the number of CSV files that are retained. Enter the maximum number of files to retain in the X box.
|
Delete files older than X days
|
Select to limit the age of the CSV files that are retained. Enter the number of days to retain a CSV file before deleting it.
|
Related Topics
Configuring Service Logs
Reports Page Reference
Use this page to access and download ACS CSV reports.
To open this page, click Reports and Activity in the navigation bar.
Table 10-15 Reports Page
Option
|
Description
|
TACACS+ Accounting Reports
|
Displays TACACS+ accounting reports, which contain a record of all successful authentications for the applicable item during the period that the report covers.
|
TACACS+ Administration Reports
|
Displays TACACS+ Administration reports, which contain all TACACS+ commands requested during the period that the report covers. This information is typically used when you use ACS to manage access to routers.
|
RADIUS Accounting Report
|
Displays RADIUS accounting reports, which contain a record of all successful authentications for the applicable item during the period that the report covers.
|
VoIP Accounting Reports
|
Displays VoIP accounting reports, which contain a record of all successful authentications for the applicable item during the period that the report covers.
|
Passed Authentications
|
Displays Passed Authentications reports, which list successful authentications during the period that the report covers.
|
Failed Attempts
|
Displays the Failed Attempts reports, which contain a record of all unsuccessful authentications during the period that the report covers for TACACS+ and RADIUS. The reports capture the username attempted, time and date, and cause of failure.
|
Logged-in Users
|
Displays all users currently logged in, grouped by AAA client. You can delete logged-in users from specific AAA clients or from all AAA clients.
|
Disabled Accounts
|
Displays accounts that have been disabled.
|
ACS Backup and Restore
|
Displays ACS Backup and Restore reports, which list dates and times that the ACS system information was backed up and restored and whether the action was successful.
|
RDBMS Synchronization
|
Displays RDBMS Synchronization reports, which contain the times the RDBMS database was synchronized and whether synchronization was manual or scheduled.
This report is available only if you enable this option in the Interface Configuration > Advanced Options page.
|
Database Replication
|
Displays Database Replication reports, which contain the times the ACS Internal Database was replicated to the backup server and whether replication was manual or scheduled.
This report is available only if you enable this option in the Interface Configuration > Advanced Options page.
|
Administration Audit
|
Displays Administration Audit reports, which contain a list of the administrators who accessed ACS on the applicable date, the actions they made or attempted to make, and the time of the action. Examples of actions logged include starting and stopping the administration session, editing user and group data, and changing the network configuration.
|
User Password Changes
|
Displays User Password Changes reports, which contain information about user-initiated changes to passwords stored in the ACS internal database.
|
ACS Service Monitoring
|
Displays ACS Service Monitoring reports, which contain a log of the events that ACS encounters when it attempts to monitor services, such as CSAdmin. This information includes events for the Active Service Monitor, CSMon, which is a service.
|
Entitlement Reports
|
Lists the available user and administrator entitlement reports. The user entitlement report lists all users with their group, Network Access Profile (NAP) if relevant, and the mapping type (static or dynamic). the administrator entitlement reports lists privileges of administrators.
|
Appliance Status Page (ACS SE only)
|
Displays current statistics about hardware resource usage with information about the IP network configuration and network interface card of the ACS appliance.
|
Appliance Administration Audit (ACS SE only)
|
Displays Appliance Administration Audit reports, which contain a list of activity on the serial console of the ACS appliance. It records when the appliance administrator account is used to log in, the commands issued during the serial console session, and when the administrator logs out, ending the session.
|
Related Topics
•About ACS Logs and Reports
•Viewing and Downloading Reports
Feedback
