CS-MARS v6 only receives "generic AAA events" from ACS v4.0

Unanswered Question
Feb 28th, 2009
User Badges:

I have steup CS MARS v6.x to retrieve events from an ACS v4.0 server. I have a PN agent runnung on the ACS server looking at the FAILED ATTEMPTS, PASSED AUTHENTICATION, RADIUS ADMIN, and TACACS ACCOUNTING active log files. The only event that fires on the MARS system is "generic AAA event" which by default does not show in the incidents page without a custom rule, and I can only tell what happens (E.g TACACS start/stop) by looking in the raw data within th incident.


Is this correct ? I would have thought that other AAA events would fire as there are many in the the MARS database, is this a limitation of ACS v4.0 ?


Can any one help ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
nowcommsupport Thu, 03/05/2009 - 08:17
User Badges:

I had alrwady followed the guide to the letter.


I have now found out what the issue was. Although we are running CSACS version 4.0 you have to configure the application in MARS as CSACS version 3.x and not CSACS version 4.x.


Thanks for the post.

Craig Hyps Fri, 03/06/2009 - 13:00
User Badges:
  • Cisco Employee,

If using the pnlogagent, then configure MARS to use ACS 3.x. This assumes that the log agent retrieves and sends info collected in the CSV log files. If using this method, regardless if using ACS 3.x or 4.x, select the ACS 3.x option in MARS.


MARS 6.x can receive the ACS logs via Syslog. To use this option, the pnlogagent is not required. Configure ACS to log data to Syslog rather than CSV. To use this option, select ACS 4.x option for sw on a host, or ACS SE 4.x for the appliance-based solution.


Hope that clarifies. For more info, see:

http://cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgAaaSv.html#wp778686


chyps

Actions

This Discussion