|
|
There are three types of logs generated by Cisco Secure ACS 2.4 for Windows NT Server (CiscoSecure ACS).
CSV logs can be written to the local hard drive, a selected remote host, or both. ODBC logs are written to the database server. Debug logs are written to the local hard drive only.
CiscoSecure ACS generates CSV and ODBC log files for the administrative and accounting events for the protocols and options you have enabled.
CSV log files are also generated for the following system events:
When a system action takes place, the event is logged in the Administration or Accounting report. You can view any of the last several reports in the Reports and Activity window of CiscoSecure ACS.
When you select Logged-in Users or Disabled Accounts, a list of these users or accounts appears in the window on the right of the display. For all other types of reports, a list of applicable reports opens in the window on the right of the display. Files are listed in chronological order, with the most recent file at the top of the list. The reports are named and listed by the date on which they were created; for example, 1999-10-05.csv was created on October 5, 1999.
Files in CSV format can be imported into spreadsheets using most popular spreadsheet application software. See your spreadsheet software manufacturer's documentation for instructions. Files in ODBC format can be viewed on your database server. See your database manufacturer's documentation for more information.
If you plan to use ODBC logging, you must first create the System DSN and tables for the selected database.
The Failed Attempts log is a list of failed authentication and authorization attempts, including the reasons for failure, which can include expired accounts, disabled accounts, and exceeding the allowed authentication attempts count.
To enable Failed Attempts logging, follow these steps:
Step 1 Click System Configuration: Logging: type Failed Attempts.
Step 2 Click Log to type Failed Attempts report.
Step 3 In the Attributes column, highlight the name of the attribute to be included.
Step 4 Click the right arrow to move it to the Logged Attributes column.
Step 5 Repeat Step 3 and Step 4 for any additional attributes you want to include.
Step 6 If necessary, click Up or Down to move the attributes into a different position.
Step 7 Repeat these steps on each CiscoSecure ACS for which you want to generate a Failed Attempts report.
There are four options for CSV Failed Attempts report generation frequency:
Enter the name of the directory on the hard drive to which the CSV Failed Attempts Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.
There are two options for managing the CSV Failed Attempts report directory:
If you are configuring ODBC reports, use the ODBC Connection Settings to define the settings for the RDBMS table.
If you are configuring ODBC reports, click this button to generate an SQL Create command that you can use to create a schema that reflects the attributes you have selected to log. These settings are dynamic and change according to the attributes you have selected.
The Remote Access Dial-In User Service (RADIUS) Accounting log is a list of when sessions stop and start; NAS messages for each username; CLID information; and a record of the duration of each session. If you are using VoIP, you can configure CiscoSecure ACS to include the VoIP accounting information in this log. See the "Select Logging Mode" section for more information.
To enable RADIUS Accounting logging, follow these steps:
Step 1 Click System Configuration: Logging: type RADIUS Accounting.
Step 2 Click Log to type RADIUS Accounting report.
Step 3 In the Attributes column, highlight the name of the attribute to be included.
Step 4 Click the right arrow to move it to the Logged Attributes column.
Step 5 Repeat Step 3 and Step 4 for any additional attributes you want to include.
Step 6 If necessary, click Up or Down to move the attributes into a different position.
Step 7 Repeat these steps on each CiscoSecure ACS for which you want to generate a RADIUS Accounting report.
There are four options for CSV RADIUS Accounting report generation frequency:
Enter the name of the directory on the hard drive to which the CSV RADIUS Accounting Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.
There are two options for managing the RADIUS Accounting report directory:
If you are configuring ODBC reports, use the ODBC Connection Settings to define the settings for the RDBMS table.
If you are configuring ODBC reports, click this button to generate an SQL Create command that you can use to create a schema that reflects the attributes you have selected to log. These settings are dynamic and change according to the attributes you have selected.
The TACACS+ Accounting log is a list of when sessions stop and start; NAS messages for each username; CLID information; and a record of the duration of each session.
To enable TACACS+ Accounting logging, follow these steps:
Step 1 Click System Configuration: Logging: type TACACS+ Accounting.
Step 2 Click Log to type TACACS+ Accounting report.
Step 3 In the Attributes column, highlight the name of the attribute to be included.
Step 4 Click the right arrow to move it to the Logged Attributes column.
Step 5 Repeat Step 3 and Step 4 for any additional attributes you want to include.
Step 6 If necessary, click Up or Down to move the attributes into a different position.
Step 7 Repeat these steps on each CiscoSecure ACS for which you want to generate a TACACS+ Accounting report.
There are four options for CSV TACACS+ Accounting report generation frequency:
Enter the name of the directory on the hard drive to which the CSV TACACS+ Accounting Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.
There are two options for managing the CSV TACACS+ Accounting report directory:
If you are configuring ODBC reports, use the ODBC Connection Settings to define the settings for the RDBMS table.
If you are configuring ODBC reports, click this button to generate an SQL Create command that you can use to create a schema that reflects the attributes you have selected to log. These settings are dynamic and change according to the attributes you have selected.
The TACACS+ Administration log is a list of configuration commands entered for a TACACS+ NAS.
To enable TACACS+ Administration logging, follow these steps:
Step 1 Click System Configuration: Logging: type TACACS+ Administration.
Step 2 Click Log to type TACACS+ Administration report.
Step 3 In the Attributes column, highlight the name of the attribute to be included.
Step 4 Click the right arrow to move it to the Logged Attributes column.
Step 5 Repeat Step 3 and Step 4 for any additional attributes you want to include.
Step 6 If necessary, click Up or Down to move the attributes into a different position.
Step 7 Repeat these steps on each CiscoSecure ACS for which you want to generate a TACACS+ Administration report.
There are four options for CSV TACACS+ Administration report generation frequency:
Enter the name of the directory on the hard drive to which the CSV TACACS+ Administration Report will be written. This directory must already exist; CiscoSecure ACS will not create it for you.
There are two options for managing the CSV TACACS+ Administration report directory:
If you are configuring ODBC reports, use the ODBC Connection Settings to define the settings for the RDBMS table.
If you are configuring ODBC reports, click this button to generate an SQL Create command that you can use to create a schema that reflects the attributes you have selected to log. These settings are dynamic and change according to the attributes you have selected.
If you are using Voice over IP (VoIP), you can generate an accounting log for VoIP users.
You enable VoIP accounting the same as described in the "RADIUS Accounting Log" section, with the addition of the information in the following "Select Logging Mode" section.
(This option appears on the CSV VoIP Accounting logging page only.) This option allows you to change where the VoIP accounting data is logged:
The Remote Logging feature helps you simplify the process of gathering the accounting logs (including VoIP RADIUS accounting logs if configured) generated on each CiscoSecure ACS. Each CiscoSecure ACS can be configured to point to a centralized CiscoSecure ACS to be used as the Logging Server. The Logging Server still has all the capabilities of a AAA server but also becomes a central repository for all the accounting logs it receives. The Remote Logging feature allows you to send the accounting data directly to the CSLOG service on the Remote Logging Server, where the record is then written into the CSV or ODBC file. Use the Send Accounting Information feature to send the accounting information to the CSAuth service, which uses the accounting packet to control access to CiscoSecure ACS via the Max Sessions feature. You can view the connection status CSV file in the Reports and Activity: List Logged on Users window. You can view the ODBC file on your database server.
If you want to keep each CiscoSecure ACS' CSV logs on the local hard drive, click Do not Log Remotely.
Remote Logging is available for CSV files only. (ODBC files are always logged to the ODBC database server.) To implement remote logging, you must first define the CiscoSecure ACS to be used as the logging server in the AAA Servers Table on each of the remote CiscoSecure ACSes. (See the "AAA Servers" section.) Follow these steps:
Step 1 Click System Configuration: Logging: Remote Logging.
Step 2 Click Log to All Selected Hosts.
Step 3 In the Log Servers column, highlight the name of the server(s) to which you want to send the accounting logs.
Step 4 Click the right arrow to move it to the Log To column.
Step 5 Repeat these steps on each remote CiscoSecure ACS.
To configure one or more backup logging servers that will receive CSV accounting logs if the primary logging server goes out of service, follow these steps:
Step 1 Click System Configuration: Logging: Remote Logging.
Step 2 Click Log to Subsequent Selected Hosts on Failure.
Step 3 In the Log Servers column, highlight the name of the server that is to be the primary logging host.
Step 4 Click the right arrow to move it to the Log To column.
Step 5 Highlight the name of the server that is to be the first backup logging host. Logs will be sent to these servers only if the primary server goes out of service.
Step 6 Repeat Step 5 for any additional backup logging hosts you want to configure. Logs will be sent to these servers only if the primary server and the backup servers listed above it go out of service.
Step 7 If necessary, click Up or Down to move the server into a higher or lower priority.
Step 8 Repeat these steps on each remote CiscoSecure ACS.
If you log in to the Windows NT domain or use an external user database for authentication, CiscoSecure ACS will log your Windows NT domain name or external user database account information in all applicable reports if you configure it to do so. Follow these steps:
Step 1 Click System Configuration.
Step 2 Click Logging.
Step 3 Click the name of the applicable report.
Step 4 Select Custom Columns.
Step 5 In the Attributes column, click ExtDB Info.
Step 6 Click the right arrow to move ExtDB Info into the Logged Attributes column.
To configure CiscoSecure ACS to log watchdog packets, follow these steps:
Step 1 Click Network Configuration.
Step 2 Click the name of the NAS. If you are using distributed systems and proxy, you can alternatively click the name of the AAA server. If you are using network device groups (NDGs), first click the name of the NDG, then click the name of the NAS or AAA server.
Step 3 Check the Log Update/Watchdog Packets from the Access Server check box.
Step 4 Click Submit or Submit & Restart.
Most user-defined attributes appear in the Reports & Activity logs if you configure them to do so. Follow these steps:
Step 1 Click System Configuration.
Step 2 Click Logging
Step 3 Click the name of the applicable report.
Step 4 In the Attributes column, click the name of the applicable attribute.
Step 5 Click the right arrow to move the attribute into the Logged Attributes column.
CiscoSecure ACS generates reports of remote administrator activities. These are configured in Administration Control and appear in Reports & Activity: Administrator Reports.
You can view a list of users who are currently logged in to each NAS on the network.
The Logged-In Users List shows the following information:
To view the Logged-in Users List, follow these steps:
Step 1 Click Reports & Activity: Logged-in Users.
Step 2 In the Select a NAS window, click the name of the NAS whose information you want to view, or click All NASes to view the information for all NASes on the network at once.
Logs are generated for the following services:
These files are located in the \Logs subdirectory of the applicable service's directory. For example, the default directory for the CiscoSecure authentication service is:
c:\Program Files\CiscoSecure ACS v2.4\CSAuth\Logs
The most recent debug log is named as follows:
SERVICE.log
where SERVICE is the name of the applicable service.
Older debug logs are named with the year, month, and date they were created. For example, a file created on July 13, 1999, would be named:
SERVICE 1999-07-13.log
where SERVICE is the name of the applicable service.
If you selected the Day/Month/Year format, the file would be named:
SERVICE 1999-13-07.log
To configure the debug log, in the HTML interface, click System Configuration: Service Control. In this window you can configure the following settings:
There are three options for level of detail:
The more detailed the logs and the more files you keep, the more disk space is required, so if your network is running correctly, it is not necessary to keep logs for a long time.
There are four options for debug log generation frequency:
There are two options for managing the debug log directories:
Posted: Fri Sep 24 11:11:31 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.