07-10-2008 05:57 AM
Hi
I'm trying to get MARS 4.3 and my Cisco ACS 4.2 server working together to display NAC events on MARS. I've added the server which runs CSACS under Security/Monitor Devices, added the reporting application of Cisco Secure ACS 3.x (does this matter that there is no option for 4.x, should this still work?) and have installed the PNLogAgent on the CSACS server and configured it to forward logs to MARS. The problem is that I have users who are being quarantined by NAC and the CSACS server shows these in the logs, yet I dont see any event on the MARS server to reflect this.
Is there something I'm missing here? Thanks
Jason Humes
07-16-2008 06:12 AM
Follow the URL for the user guide for the Cisco security MARs which will help you :
09-02-2008 11:55 AM
Jason,
I have a few ACS servers set up with the PN agent and I'm not seeing anything in MARS either. Everything was set up per the documentation.
Any luck on your issue?
09-03-2008 08:27 AM
Is this an ACS appliance or ACS running on your own Windows server?
Yes there is no problem with ACS 3.x in the GUI, as per the user guide ACS 4.x version should also be added as ACS 3.x. And I just set this up yesterday for a customer using an ACS SE appliance without any issues.
Did you Add the MARS IP and Log files in the PN Log agent?
Regards
Farrukh
09-03-2008 08:33 AM
Not to hijack this thread.... but if I do an incident query by the ACS server IP (Windows running ACS 3.3) I don't see anything. I figure there should at least be some sort of log or activity.
09-03-2008 08:55 AM
Don't do a query for incidents. Do a 'real-time' query for 'Raw Events' selecting ONLY the ACS as the reporting device. Then try to generate any ACS related events from NAS/NAC devices, and then observe the output. You can also query for past raw events reported by the ACS Sw-Host.
Regards
Farrukh
09-03-2008 09:52 AM
Thanks much. I think I have the correct parameters:
Query type: Event Raw Messages ranked by Time, Real Time(raw events)
with my ACS server as the source IP and destination is ANY.
Does this look right?
09-03-2008 12:21 PM
Source IP field does not need to be changed, you need to change the 'reporting device'. Remove ANY and add ACS only.
Since ACS is supported from Cisco, I would assume they have made some rules for it. Try to generated failed attempts etc. 3-4 times and not just once, maybe Cisco put a 'higher' count than 1 for the rule.
Regards
Farrukh
09-03-2008 10:30 AM
well, I was able to verify its receiving logs from my ACS servers by doing a "retrieve raw messages" in System Maintenance. I assume this is good enough for verification purposes?
Is there a canned rule that deals w/ ACS events or do I need to make a new one?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: