CiscoSecure ACS 2.4 for Windows NT User Guide
Logging

Table of Contents

Logging
CSV and ODBC Log Files
Failed Attempts Log
RADIUS Accounting Log
TACACS+ Accounting Log
TACACS+ Administration Log
VoIP Accounting
Remote Logging
MS Domain Name and External User Database Account Information
Log Packet Filter
User-defined Attributes
Remote Administrator Logging Records
Logged-in Users List
Debug Logs

Logging


There are three types of logs generated by Cisco Secure ACS 2.4 for Windows NT Server (CiscoSecure ACS).

  • Comma-separated value (CSV) accounting and administration logs
  • Open DataBase Connectivity (ODBC) compatible accounting and administration logs
  • Debug logs

CSV logs can be written to the local hard drive, a selected remote host, or both. ODBC logs are written to the database server. Debug logs are written to the local hard drive only.

CSV and ODBC Log Files

CiscoSecure ACS generates CSV and ODBC log files for the administrative and accounting events for the protocols and options you have enabled.


Note      Accounting log files are not replicated during database replication.


  • Failed Attempts—Lists authentication and authorization failures, and indicates the cause of the failure.
  • RADIUS Accounting—Lists when sessions stop and start; records network access server (NAS) messages with each username; provides calling line identification (CLID) information; records the duration of each session.
  • TACACS+ Accounting—Lists when sessions stop and start; records NAS messages with each username; provides CLID information; records the duration of each session.
  • TACACS+ Administration—Lists configuration commands entered for a Terminal Access Controller Access Control System (TACACS+) NAS.
  • VoIP Accounting—Lists when Voice over IP (VoIP) sessions stop and start; records network access server (NAS) messages with each username; provides calling line identification (CLID) information; records the duration of each VoIP session.

CSV log files are also generated for the following system events:

  • Administration audit
  • Backup and restore
  • Logged-in users
  • Disabled accounts
  • Database replication
  • RDBMS synchronization
  • ACS Service monitoring

When a system action takes place, the event is logged in the Administration or Accounting report. You can view any of the last several reports in the Reports and Activity window of CiscoSecure ACS.

When you select Logged-in Users or Disabled Accounts, a list of these users or accounts appears in the window on the right of the display. For all other types of reports, a list of applicable reports opens in the window on the right of the display. Files are listed in chronological order, with the most recent file at the top of the list. The reports are named and listed by the date on which they were created; for example, 1999-10-05.csv was created on October 5, 1999.


Note      If you select Day/Month/Year format, a file created on 5 October 1999 will be named 1999-05-10. See the "Date Format Control" section in the "Step-by-Step Configuration for CiscoSecure ACS" chapter for instructions.


Files in CSV format can be imported into spreadsheets using most popular spreadsheet application software. See your spreadsheet software manufacturer's documentation for instructions. Files in ODBC format can be viewed on your database server. See your database manufacturer's documentation for more information.


Note      In the examples in the following sections, type refers to the type of log you want to generate, either CSV or ODBC.


If you plan to use ODBC logging, you must first create the System DSN and tables for the selected database.

Failed Attempts Log

The Failed Attempts log is a list of failed authentication and authorization attempts, including the reasons for failure, which can include expired accounts, disabled accounts, and exceeding the allowed authentication attempts count.

To enable Failed Attempts logging, follow these steps:


Step 1   Click System Configuration: Logging: type Failed Attempts.

Step 2   Click Log to type Failed Attempts report.

Step 3   In the Attributes column, highlight the name of the attribute to be included.

Step 4   Click the right arrow to move it to the Logged Attributes column.

Step 5   Repeat Step 3 and Step 4 for any additional attributes you want to include.

Step 6   If necessary, click Up or Down to move the attributes into a different position.


Note To use the default column layout, click Reset Columns.


Step 7   Repeat these steps on each CiscoSecure ACS for which you want to generate a Failed Attempts report.

Setting the Frequency of CSV Failed Attempts Report Generation

There are four options for CSV Failed Attempts report generation frequency:

  • Every day—Generate a new file every day, beginning at midnight.
  • Every week—Generate a new file every week, beginning at midnight on Sunday.
  • Every month—Generate a new file every month, beginning at midnight on the first day of the month.
  • When size is greater than x KB—Generate a new file when the size of the current file reaches the number of kilobytes you enter.

Setting or Changing the CSV Failed Attempts Report Directory

Enter the name of the directory on the hard drive to which the CSV Failed Attempts Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.

Managing the CSV Failed Attempts Report Directory

There are two options for managing the CSV Failed Attempts report directory:

  • Keep only the last x files—Keep the most recent x files, where x is the number you enter. The default is 7.
  • Delete files older than x days—Delete all files older than x days old, where x is the number you enter. The default is 7.

Note If you select Delete files older than x days, only the log files from the x previous days are deleted. Today's log files are always kept. Multiple log files can be generated for each day. To make sure your hard disk has sufficient free space, check your log file directories and delete unnecessary files manually.


Configuring the ODBC Connection Settings

If you are configuring ODBC reports, use the ODBC Connection Settings to define the settings for the RDBMS table.

  • Data Source—Select an ODBC Datasource to be used to connect to the RDBMS in which the logging data is to reside.
  • Username—Enter your RDBMS username.
  • Password—Enter any password required by the RDBMS for the ODBC connection.
  • Table Name—The Table Name field contains the name of the table to use.

Show Create Table

If you are configuring ODBC reports, click this button to generate an SQL Create command that you can use to create a schema that reflects the attributes you have selected to log. These settings are dynamic and change according to the attributes you have selected.


Note      These settings apply to MS-SQL files only. If you are using Microsoft Access or another type of ODBC database, see your database software manufacturer's documentation.


RADIUS Accounting Log

The Remote Access Dial-In User Service (RADIUS) Accounting log is a list of when sessions stop and start; NAS messages for each username; CLID information; and a record of the duration of each session. If you are using VoIP, you can configure CiscoSecure ACS to include the VoIP accounting information in this log. See the "Select Logging Mode" section for more information.

To enable RADIUS Accounting logging, follow these steps:


Step 1   Click System Configuration: Logging: type RADIUS Accounting.

Step 2   Click Log to type RADIUS Accounting report.

Step 3   In the Attributes column, highlight the name of the attribute to be included.

Step 4   Click the right arrow to move it to the Logged Attributes column.

Step 5   Repeat Step 3 and Step 4 for any additional attributes you want to include.

Step 6   If necessary, click Up or Down to move the attributes into a different position.


Note To return to the default column layout, click Reset Columns.


Step 7   Repeat these steps on each CiscoSecure ACS for which you want to generate a RADIUS Accounting report.

Setting the Frequency of CSV RADIUS Accounting Report Generation

There are four options for CSV RADIUS Accounting report generation frequency:

  • Every day—Generate a new file every day, beginning at midnight.
  • Every week—Generate a new file every week, beginning at midnight on Sunday.
  • Every month—Generate a new file every month, beginning at midnight on the first day of the month.
  • When size is greater than x KB—Generate a new file when the size of the current file reaches the number of kilobytes you enter.

Setting or Changing the CSV RADIUS Accounting Report Directory

Enter the name of the directory on the hard drive to which the CSV RADIUS Accounting Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.

Managing the CSV RADIUS Accounting Report Directory

There are two options for managing the RADIUS Accounting report directory:

  • Keep only the last x files—Keep the most recent x files, where x is the number you enter. The default is 7.
  • Delete files older than x days—Delete all files older than x days old, where x is the number you enter. The default is 7.

Note If you select Delete files older than x days, only the log files from the x previous days are deleted. Today's log files are always kept. Multiple log files can be generated for each day. To make sure your hard disk has sufficient free space, check your log file directories and delete unnecessary files manually.


Configuring the ODBC Connection Settings

If you are configuring ODBC reports, use the ODBC Connection Settings to define the settings for the RDBMS table.

  • Data Source—Select an ODBC Datasource to be used to connect to the RDBMS in which the logging data is to reside.
  • Username—Enter your RDBMS username.
  • Password—Enter any password required by the RDBMS for the ODBC connection.
  • Table Name—The Table Name field contains the name of the table to use.

Show Create Table

If you are configuring ODBC reports, click this button to generate an SQL Create command that you can use to create a schema that reflects the attributes you have selected to log. These settings are dynamic and change according to the attributes you have selected.


Note      These settings apply to MS-SQL files only. If you are using Microsoft Access or another type of ODBC database, see your database software manufacturer's documentation.


TACACS+ Accounting Log

The TACACS+ Accounting log is a list of when sessions stop and start; NAS messages for each username; CLID information; and a record of the duration of each session.

To enable TACACS+ Accounting logging, follow these steps:


Step 1   Click System Configuration: Logging: type TACACS+ Accounting.

Step 2   Click Log to type TACACS+ Accounting report.

Step 3   In the Attributes column, highlight the name of the attribute to be included.

Step 4   Click the right arrow to move it to the Logged Attributes column.

Step 5   Repeat Step 3 and Step 4 for any additional attributes you want to include.

Step 6   If necessary, click Up or Down to move the attributes into a different position.


Note To return to the default column layout, click Reset Columns.


Step 7   Repeat these steps on each CiscoSecure ACS for which you want to generate a TACACS+ Accounting report.

Setting the Frequency of CSV TACACS+ Accounting Report Generation

There are four options for CSV TACACS+ Accounting report generation frequency:

  • Every day—Generate a new file every day, beginning at midnight.
  • Every week—Generate a new file every week, beginning at midnight on Sunday.
  • Every month—Generate a new file every month, beginning at midnight on the first day of the month.
  • When size is greater than x KB—Generate a new file when the size of the current file reaches the number of kilobytes you enter.

Setting or Changing the CSV TACACS+ Accounting Report Directory

Enter the name of the directory on the hard drive to which the CSV TACACS+ Accounting Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.

Managing the CSV TACACS+ Accounting Report Directory

There are two options for managing the CSV TACACS+ Accounting report directory:

  • Keep only the last x files—Keep the most recent x files, where x is the number you enter. The default is 7.
  • Delete files older than X days—Delete all files older than x days old, where x is the number you enter. The default is 7.

Note If you select Delete files older than x days, only the log files from the x previous days are deleted. Today's log files are always kept. Multiple log files can be generated for each day. To make sure your hard disk has sufficient free space, check your log file directories and delete unnecessary files manually.


Configuring the ODBC Connection Settings

If you are configuring ODBC reports, use the ODBC Connection Settings to define the settings for the RDBMS table.

  • Data Source—Select an ODBC Datasource to be used to connect to the RDBMS in which the logging data is to reside.
  • Username—Enter your RDBMS username.
  • Password—Enter any password required by the RDBMS for the ODBC connection.
  • Table Name—The Table Name field contains the name of the table to use.

Show Create Table

If you are configuring ODBC reports, click this button to generate an SQL Create command that you can use to create a schema that reflects the attributes you have selected to log. These settings are dynamic and change according to the attributes you have selected.


Note      These settings apply to MS-SQL files only. If you are using Microsoft Access or another type of ODBC database, see your database software manufacturer's documentation.


TACACS+ Administration Log

The TACACS+ Administration log is a list of configuration commands entered for a TACACS+ NAS.

To enable TACACS+ Administration logging, follow these steps:


Step 1   Click System Configuration: Logging: type TACACS+ Administration.

Step 2   Click Log to type TACACS+ Administration report.

Step 3   In the Attributes column, highlight the name of the attribute to be included.

Step 4   Click the right arrow to move it to the Logged Attributes column.

Step 5   Repeat Step 3 and Step 4 for any additional attributes you want to include.

Step 6   If necessary, click Up or Down to move the attributes into a different position.


Note To return to the default column layout, Reset Columns.


Step 7   Repeat these steps on each CiscoSecure ACS for which you want to generate a TACACS+ Administration report.

Setting the Frequency of CSV TACACS+ Administration Report Generation

There are four options for CSV TACACS+ Administration report generation frequency:

  • Every day—Generate a new file every day, beginning at midnight.
  • Every week—Generate a new file every week, beginning at midnight on Sunday.
  • Every month—Generate a new file every month, beginning at midnight on the first day of the month.
  • When size is greater than x KB—Generate a new file when the size of the current file reaches the number of kilobytes you enter.

Setting or Changing the CSV TACACS+ Administration Report Directory

Enter the name of the directory on the hard drive to which the CSV TACACS+ Administration Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.

Managing the CSVTACACS+ Administration Report Directory

There are two options for managing the CSV TACACS+ Administration report directory:

  • Keep only the last x files—Keep the most recent x files, where x is the number you enter. The default is 7.
  • Delete files older than x days—Delete all files older than x days old, where x is the number you enter. The default is 7.

Note If you select Delete files older than x days, only the log files from the x previous days are deleted. Today's log files are always kept. Multiple log files can be generated for each day. To make sure your hard disk has sufficient free space, check your log file directories and delete unnecessary files manually.


Configuring the ODBC Connection Settings

If you are configuring ODBC reports, use the ODBC Connection Settings to define the settings for the RDBMS table.

  • Data Source—Select an ODBC Datasource to be used to connect to the RDBMS in which the logging data is to reside.
  • Username—Enter your RDBMS username.
  • Password—Enter any password required by the RDBMS for the ODBC connection.
  • Table Name—The Table Name field contains the name of the table to use.

Show Create Table

If you are configuring ODBC reports, click this button to generate an SQL Create command that you can use to create a schema that reflects the attributes you have selected to log. These settings are dynamic and change according to the attributes you have selected.


Note      These settings apply to MS-SQL files only. If you are using Microsoft Access or another type of ODBC database, see your database software manufacturer's documentation.


VoIP Accounting

If you are using Voice over IP (VoIP), you can generate an accounting log for VoIP users.


Note      VoIP accounting is available for RADIUS users only.


You enable VoIP accounting the same as described in the "RADIUS Accounting Log" section, with the addition of the information in the following "Select Logging Mode" section.

Select Logging Mode

(This option appears on the CSV VoIP Accounting logging page only.) This option allows you to change where the VoIP accounting data is logged:

  • Standard—Select this option to have the raw VoIP accounting data appended to the RADIUS accounting data. To view this data, click Reports & Activity: RADIUS Accounting. If you select this option, no separate VoIP Accounting log is generated.
  • Separate—Select this option to have VoIP accounting data logged to a separate CSV file. Raw VoIP accounting data will not appear in the RADIUS Accounting log. To view the data, click Reports & Activity: VoIP Accounting.
  • Combined—Select this option to have VoIP accounting data both appended to the RADIUS accounting data and logged separately to a CSV file. To view the data click Reports & Activity and either RADIUS Accounting or VoIP Accounting.

Remote Logging

The Remote Logging feature helps you simplify the process of gathering the accounting logs (including VoIP RADIUS accounting logs if configured) generated on each CiscoSecure ACS. Each CiscoSecure ACS can be configured to point to a centralized CiscoSecure ACS to be used as the Logging Server. The Logging Server still has all the capabilities of a AAA server but also becomes a central repository for all the accounting logs it receives. The Remote Logging feature allows you to send the accounting data directly to the CSLOG service on the Remote Logging Server, where the record is then written into the CSV or ODBC file. Use the Send Accounting Information feature to send the accounting information to the CSAuth service, which uses the accounting packet to control access to CiscoSecure ACS via the Max Sessions feature. You can view the connection status CSV file in the Reports and Activity: List Logged on Users window. You can view the ODBC file on your database server.

If you want to keep each CiscoSecure ACS' CSV logs on the local hard drive, click Do not Log Remotely.

Implementing and Configuring Remote Logging

Remote Logging is available for CSV files only. (ODBC files are always logged to the ODBC database server.) To implement remote logging, you must first define the CiscoSecure ACS to be used as the logging server in the AAA Servers Table on each of the remote CiscoSecure ACSes. (See the "AAA Servers" section.) Follow these steps:


Step 1   Click System Configuration: Logging: Remote Logging.

Step 2   Click Log to All Selected Hosts.

Step 3   In the Log Servers column, highlight the name of the server(s) to which you want to send the accounting logs.

Step 4   Click the right arrow to move it to the Log To column.

Step 5   Repeat these steps on each remote CiscoSecure ACS.

Configuring Backup Logging Hosts

To configure one or more backup logging servers that will receive CSV accounting logs if the primary logging server goes out of service, follow these steps:


Step 1   Click System Configuration: Logging: Remote Logging.

Step 2   Click Log to Subsequent Selected Hosts on Failure.

Step 3   In the Log Servers column, highlight the name of the server that is to be the primary logging host.

Step 4   Click the right arrow to move it to the Log To column.

Step 5   Highlight the name of the server that is to be the first backup logging host. Logs will be sent to these servers only if the primary server goes out of service.

Step 6   Repeat Step 5 for any additional backup logging hosts you want to configure. Logs will be sent to these servers only if the primary server and the backup servers listed above it go out of service.

Step 7   If necessary, click Up or Down to move the server into a higher or lower priority.

Step 8   Repeat these steps on each remote CiscoSecure ACS.

MS Domain Name and External User Database Account Information

If you log in to the Windows NT domain or use an external user database for authentication, CiscoSecure ACS will log your Windows NT domain name or external user database account information in all applicable reports if you configure it to do so. Follow these steps:


Step 1   Click System Configuration.

Step 2   Click Logging.

Step 3   Click the name of the applicable report.

Step 4   Select Custom Columns.

Step 5   In the Attributes column, click ExtDB Info.

Step 6   Click the right arrow to move ExtDB Info into the Logged Attributes column.

Log Packet Filter

To configure CiscoSecure ACS to log watchdog packets, follow these steps:


Step 1   Click Network Configuration.

Step 2   Click the name of the NAS. If you are using distributed systems and proxy, you can alternatively click the name of the AAA server. If you are using network device groups (NDGs), first click the name of the NDG, then click the name of the NAS or AAA server.

Step 3   Check the Log Update/Watchdog Packets from the Access Server check box.

Step 4   Click Submit or Submit & Restart.

User-defined Attributes

Most user-defined attributes appear in the Reports & Activity logs if you configure them to do so. Follow these steps:


Step 1   Click System Configuration.

Step 2   Click Logging

Step 3   Click the name of the applicable report.

Step 4   In the Attributes column, click the name of the applicable attribute.

Step 5   Click the right arrow to move the attribute into the Logged Attributes column.


Note      Custom Cisco IOS commands are not logged.


Remote Administrator Logging Records

CiscoSecure ACS generates reports of remote administrator activities. These are configured in Administration Control and appear in Reports & Activity: Administrator Reports.

Logged-in Users List

You can view a list of users who are currently logged in to each NAS on the network.


Note      To use the logged-in user list, you must set up your NAS to perform Authentication and Accounting using the same protocol—either TACACS+ or RADIUS.


The Logged-In Users List shows the following information:

  • Date—Date that the user originally logged in.
  • Time—Time at which the user originally logged in.
  • User—Username. This appears as a link that you can click to open the User Setup window and view this user's information.
  • Group—Group to which the user belongs.
  • Assigned IP Address—User's IP address.

Note If the user is logged in via Telnet, this information is not available.


  • Port—NAS port through which the user logged in. If you are using proxy with TACACS+ NASes, you always see a normal portname (for example, tty0. rather than tty0#01020304.)
  • Source NAS—NAS through which the user logged in. if no proxy is set up, then Source-NAS is the same as the IP address of the actual NAS.

To view the Logged-in Users List, follow these steps:


Step 1   Click Reports & Activity: Logged-in Users.

Step 2   In the Select a NAS window, click the name of the NAS whose information you want to view, or click All NASes to view the information for all NASes on the network at once.

Debug Logs

Debug logs are used for troubleshooting purposes only. Debug logs contain a record of all the CiscoSecure ACS services' actions and activities. These logs are generated whenever you log in to Windows NT and the services are started, whether or not the HTML interface is started, and whether or not you are using the service. For example, RADIUS debug logs are created even if you are not using the RADIUS protocol in your network.

Services Logged

Logs are generated for the following services:

  • CSAdmin
  • CSAuth
  • CSDBSync
  • CSLog
  • CSMon
  • CSRadius
  • CSTacacs

These files are located in the \Logs subdirectory of the applicable service's directory. For example, the default directory for the CiscoSecure authentication service is:

c:\Program Files\CiscoSecure ACS v2.4\CSAuth\Logs

The most recent debug log is named as follows:

SERVICE.log

where SERVICE is the name of the applicable service.

Older debug logs are named with the year, month, and date they were created. For example, a file created on July 13, 1999, would be named:

SERVICE 1999-07-13.log

where SERVICE is the name of the applicable service.

If you selected the Day/Month/Year format, the file would be named:

SERVICE 1999-13-07.log

Configuring Debug Logs

To configure the debug log, in the HTML interface, click System Configuration: Service Control. In this window you can configure the following settings:

  • How much detail to include
  • How often to generate a new file
  • How long to keep files

Setting Levels of Detail for Debug Logs

There are three options for level of detail:

  • None—Use this option if your system has been running smoothly for a long time and you have confidence that no changes will be made to the network.
  • Low—(Default) Use this option during normal system operations.
  • Full—Use this option if requested to by Cisco Systems technical support.

The more detailed the logs and the more files you keep, the more disk space is required, so if your network is running correctly, it is not necessary to keep logs for a long time.

Setting the Frequency of Debug Log Generation

There are four options for debug log generation frequency:

  • Every day—Generate a new file every day, beginning at midnight.
  • Every week—Generate a new file every week, beginning at midnight on Sunday.
  • Every month—Generate a new file every month, beginning at midnight on the first day of the month.
  • When size is greater than x KB—Generate a new file when the size of the current file reaches the number of kilobytes you enter.

Managing the Log Directories

There are two options for managing the debug log directories:

  • Keep only the last x files—Keep the most recent x files, where x is the number you enter. The default is 7.
  • Delete files older than X days—Delete all files older than x days old, where x is the number you enter. The default is 7.

Note If you select Delete files older than x days, only the log files from the x previous days are deleted. Today's log files are always kept. Multiple log files can be generated for each day. To make sure your hard disk has sufficient free space, check your log file directories and delete unnecessary files manually.