MARS 4.3 and NAC (CSACS 4.2) logging

Unanswered Question
Jul 10th, 2008


I'm trying to get MARS 4.3 and my Cisco ACS 4.2 server working together to display NAC events on MARS. I've added the server which runs CSACS under Security/Monitor Devices, added the reporting application of Cisco Secure ACS 3.x (does this matter that there is no option for 4.x, should this still work?) and have installed the PNLogAgent on the CSACS server and configured it to forward logs to MARS. The problem is that I have users who are being quarantined by NAC and the CSACS server shows these in the logs, yet I dont see any event on the MARS server to reflect this.

Is there something I'm missing here? Thanks

Jason Humes

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
js88888888 Tue, 09/02/2008 - 11:55


I have a few ACS servers set up with the PN agent and I'm not seeing anything in MARS either. Everything was set up per the documentation.

Any luck on your issue?

Farrukh Haroon Wed, 09/03/2008 - 08:27

Is this an ACS appliance or ACS running on your own Windows server?

Yes there is no problem with ACS 3.x in the GUI, as per the user guide ACS 4.x version should also be added as ACS 3.x. And I just set this up yesterday for a customer using an ACS SE appliance without any issues.

Did you Add the MARS IP and Log files in the PN Log agent?



js88888888 Wed, 09/03/2008 - 08:33

Not to hijack this thread.... but if I do an incident query by the ACS server IP (Windows running ACS 3.3) I don't see anything. I figure there should at least be some sort of log or activity.

Farrukh Haroon Wed, 09/03/2008 - 08:55

Don't do a query for incidents. Do a 'real-time' query for 'Raw Events' selecting ONLY the ACS as the reporting device. Then try to generate any ACS related events from NAS/NAC devices, and then observe the output. You can also query for past raw events reported by the ACS Sw-Host.



js88888888 Wed, 09/03/2008 - 09:52

Thanks much. I think I have the correct parameters:

Query type: Event Raw Messages ranked by Time, Real Time(raw events)

with my ACS server as the source IP and destination is ANY.

Does this look right?

Farrukh Haroon Wed, 09/03/2008 - 12:21

Source IP field does not need to be changed, you need to change the 'reporting device'. Remove ANY and add ACS only.

Since ACS is supported from Cisco, I would assume they have made some rules for it. Try to generated failed attempts etc. 3-4 times and not just once, maybe Cisco put a 'higher' count than 1 for the rule.



js88888888 Wed, 09/03/2008 - 10:30

well, I was able to verify its receiving logs from my ACS servers by doing a "retrieve raw messages" in System Maintenance. I assume this is good enough for verification purposes?

Is there a canned rule that deals w/ ACS events or do I need to make a new one?


This Discussion