|
|
There are 2 basic types of logs generated by Cisco Secure ACS 2.3 for Windows NT Server (CiscoSecure ACS).
CSV logs can be written to the local hard drive, a selected remote host, or both. Debug logs are written to the local hard drive only.
CiscoSecure ACS generates CSV log files for the following administrative and accounting events:
CSV log files are also generated for the following system events:
When a system action takes place, the event is logged in the Administration or Accounting report. You can view any of the last several reports in the Reports and Activity window of CiscoSecure ACS.
When you select Logged-in Users or Disabled Accounts, a list of these users or accounts appears in the window on the right of the display. For all other types of reports, a list of applicable reports opens in the window on the right of the display. Files are listed in chronological order, with the most recent file at the top of the list. The reports are named and listed by the date on which they were created; for example, 1998-10-05.csv was created on October 5, 1998.
Files are in comma-separated-value (csv) format, so you can import them into spreadsheets using most popular spreadsheet application software. See your spreadsheet software manufacturer's documentation for instructions.
The Remote Logging feature helps you simplify the process of gathering the accounting logs generated on each CiscoSecure ACS. Each CiscoSecure ACS can be configured to point to a centralized CiscoSecure ACS to be used as the Logging Server. The Logging Server still has all the capabilities of a AAA server but also becomes a central repository for all the accounting logs it receives. The Remote Logging feature allows you to send the accounting data directly to the CSLOG service on the Remote Logging Server, where the record is then written into the .CSV file. Enabling the Send Accounting Information feature sends the accounting information to the CSAuth service, which uses the accounting packet to control access to CiscoSecure ACS via the Max Sessions feature. You can view the connection status in the Reports and Activity: List Logged on Users window.
If you want to keep each CiscoSecure ACS' logs on its own local hard drive, click the Do not Log Remotely button.
To implement remote logging, you must first define the CiscoSecure ACS to be used as the logging server in the AAA Servers Table on each of the remote CiscoSecure ACSes. (See the "AAA Servers" section in "Distributed Systems.") Follow these steps:
Step 1 Click System Configuration: Logging: Remote Logging.
Step 2 Click Log to All Selected Hosts.
Step 3 In the Log Servers column, highlight the name of the server(s) to which you want to send the accounting logs.
Step 4 Click the right arrow to move it to the Log To column.
Step 5 Repeat these steps on each remote CiscoSecure ACS.
To configure one or more backup logging servers that will receive accounting logs if the primary logging server goes out of service, follow these steps:
Step 1 Click System Configuration: Logging: Remote Logging.
Step 2 Click Log to Subsequent Selected Hosts on Failure.
Step 3 In the Log Servers column, highlight the name of the server that is to be the primary logging host.
Step 4 Click the right arrow to move it to the Log To column.
Step 5 Highlight the name of the server that is to be the first backup logging host. Logs will be sent to these servers only if the primary server goes out of service.
Step 6 Repeat Step 5 for any additional backup logging hosts you want to configure. Logs will be sent to these servers only if the primary server and the backup servers listed above it go out of service.
Step 7 If necessary, click the Up or Down buttons to move the server into a higher or lower priority.
Step 8 Repeat these steps on each remote CiscoSecure ACS.
The Failed Attempts log is a list of failed authentication and authorization attempts, including the reasons for failure, which can include expired accounts, disabled accounts, and exceeding the allowed authentication attempts count.
To enable Failed Attempts logging, follow these steps:
Step 1 Click System Configuration: Logging: Failed Attempts.
Step 2 Click Log to Failed Attempts report.
Step 3 Select one of the following column layout options:
Step 4 If you selected the Custom Column Layout option, in the Attributes column, highlight the name of the attribute to be included.
Step 5 Click the right arrow to move it to the Logged Attributes column.
Step 6 Repeat Step 4 and Step 5 for any additional attributes you want to include.
Step 7 If necessary, click the Up or Down buttons to move the attributes into a different position.
Step 8 Repeat these steps on each CiscoSecure ACS for which you want to generate a Failed Attempts report.
There are 4 options for Failed Attempts report generation frequency:
Enter the name of the directory on the hard drive to which the Failed Attempts Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.
There are 2 options for managing the Failed Attempts report directory:
The Remote Access Dial-In User Service (RADIUS) Accounting log is a list of when sessions stop and start; NAS messages for each username; CLID information; and a record of the duration of each session.
To enable RADIUS Accounting logging, follow these steps:
Step 1 Click System Configuration: Logging: RADIUS Accounting.
Step 2 Click Log to RADIUS Accounting report.
Step 3 Select one of the following column layout options:
Step 4 If you selected the Custom Column Layout option, in the Attributes column, highlight the name of the attribute to be included.
Step 5 Click the right arrow to move it to the Logged Attributes column.
Step 6 Repeat Step 4 and Step 5 for any additional attributes you want to include.
Step 7 If necessary, click the Up or Down buttons to move the attributes into a different position.
Step 8 Repeat these steps on each CiscoSecure ACS for which you want to generate a RADIUS Accounting report.
There are 4 options for RADIUS Accounting report generation frequency:
Enter the name of the directory on the hard drive to which the RADIUS Accounting Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.
There are 2 options for managing the RADIUS Accounting report directory:
The TACACS+ Accounting log is a list of when sessions stop and start; NAS messages for each username; CLID information; and a record of the duration of each session.
To enable TACACS+ Accounting logging, follow these steps:
Step 1 Click System Configuration: Logging: TACACS+ Accounting.
Step 2 Click Log to TACACS+ Accounting report.
Step 3 Select one of the following column layout options:
Step 4 If you selected the Custom Column Layout option, in the Attributes column, highlight the name of the attribute to be included.
Step 5 Click the right arrow to move it to the Logged Attributes column.
Step 6 Repeat Step 4 and Step 5 for any additional attributes you want to include.
Step 7 If necessary, click the Up or Down buttons to move the attributes into a different position.
Step 8 Repeat these steps on each CiscoSecure ACS for which you want to generate a TACACS+ Accounting report.
There are 4 options for TACACS+ Accounting report generation frequency:
Enter the name of the directory on the hard drive to which the TACACS+ Accounting Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.
There are two options for managing the TACACS+ Accounting report directory:
The TACACS+ Administration log is a list of configuration commands entered for a TACACS+ NAS.
To enable TACACS+ Administration logging, follow these steps:
Step 1 Click System Configuration: Logging: TACACS+ Administration.
Step 2 Click Log to TACACS+ Administration report.
Step 3 Select one of the following column layout options:
Step 4 If you selected the Custom Column Layout option, in the Attributes column, highlight the name of the attribute to be included.
Step 5 Click the right arrow to move it to the Logged Attributes column.
Step 6 Repeat Step 4 and Step 5 for any additional attributes you want to include.
Step 7 If necessary, click the Up or Down buttons to move the attributes into a different position.
Step 8 Repeat these steps on each CiscoSecure ACS for which you want to generate a TACACS+ Administration report.
There are 4 options for TACACS+ Administration report generation frequency:
Enter the name of the directory on the hard drive to which the TACACS+ Administration Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.
There are 2 options for managing the TACACS+ Administration report directory:
If you log in to the Windows NT domain or use an external user database for authentication, CiscoSecure ACS will log your Windows NT domain name or external user database account information in all applicable reports if you configure it to do so. Follow these steps:
Step 1 Click System Configuration.
Step 2 Click Logging.
Step 3 Click the name of the applicable report.
Step 4 Select Custom Columns.
Step 5 In the Attributes column, click ExtDB Info.
Step 6 Click the right arrow to move ExtDB Info into the Logged Attributes column.
To configure CiscoSecure ACS to log watchdog packets, follow these steps:
Step 1 Click Network Configuration.
Step 2 Click the name of the NAS. If you are using distributed systems and proxy, you can alternatively click the name of the AAA server. If you are using network device groups (NDGs), first click the name of the NDG, then click the name of the NAS or AAA server.
Step 3 Check the Log Update/Watchdog Packets from the Access Server check box.
Step 4 Click Submit or Submit & Restart.
Most user-defined attributes appear in the Reports & Activity logs if you configure them to do so. Follow these steps:
Step 1 Click System Configuration.
Step 2 Click Logging
Step 3 Click the name of the applicable report.
Step 4 In the Attributes column, click the name of the applicable attribute.
Step 5 Click the right arrow to move the attribute into the Logged Attributes column.
CiscoSecure ACS generates reports of remote administrator activities. These are configured in Administration Control and appear in Reports & Activity: Administrator Reports.
You can view a list of users who are currently logged in to each NAS on the network. The Logged-In Users List shows the following information:
To view the Logged-in Users List, follow these steps:
Step 1 Click Reports & Activity: Logged-in Users.
Step 2 In the Select a NAS window, click the name of the NAS whose information you want to view, or click All NASes to view the information for all NASes on the network at once.
Debug logs are used for troubleshooting purposes only. Debug logs contain a record of all the CiscoSecure ACS services' actions and activities. These logs are generated whenever you log in to Windows NT and the services are started, whether or not the HTML interface is started, and whether or not you are using the service. For example, RADIUS debug logs are created even if you are not using the RADIUS protocol in your network.
Logs are generated for the following services:
These files are located in the \Logs subdirectory of the applicable service's directory. For example, the default directory for the CiscoSecure authentication service is:
c:\Program Files\CiscoSecure ACS v2.3\CSAuth\Logs
The most recent debug log is named as follows:
SERVICE.log
where SERVICE is the name of the applicable service.
Older debug logs are named as follows:
SERVICE 1998-10-13.log
where SERVICE is the name of the applicable service.
To configure the debug log, in the HTML interface, click System Configuration: Service Control. In this window you can configure the following settings:
There are 3 options for level of detail:
The more detailed the logs and the more files you keep, the more disk space is required, so if your network is running correctly, it is not necessary to keep logs for a long time.
There are 4 options for debug log generation frequency:
There are 2 options for managing the debug log directories:
|
|