CS-MARS v6 only receives "generic AAA events" from ACS v4.0

Unanswered Question
Feb 28th, 2009

I have steup CS MARS v6.x to retrieve events from an ACS v4.0 server. I have a PN agent runnung on the ACS server looking at the FAILED ATTEMPTS, PASSED AUTHENTICATION, RADIUS ADMIN, and TACACS ACCOUNTING active log files. The only event that fires on the MARS system is "generic AAA event" which by default does not show in the incidents page without a custom rule, and I can only tell what happens (E.g TACACS start/stop) by looking in the raw data within th incident.

Is this correct ? I would have thought that other AAA events would fire as there are many in the the MARS database, is this a limitation of ACS v4.0 ?

Can any one help ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
nowcommsupport Thu, 03/05/2009 - 08:17

I had alrwady followed the guide to the letter.

I have now found out what the issue was. Although we are running CSACS version 4.0 you have to configure the application in MARS as CSACS version 3.x and not CSACS version 4.x.

Thanks for the post.

Craig Hyps Fri, 03/06/2009 - 13:00

If using the pnlogagent, then configure MARS to use ACS 3.x. This assumes that the log agent retrieves and sends info collected in the CSV log files. If using this method, regardless if using ACS 3.x or 4.x, select the ACS 3.x option in MARS.

MARS 6.x can receive the ACS logs via Syslog. To use this option, the pnlogagent is not required. Configure ACS to log data to Syslog rather than CSV. To use this option, select ACS 4.x option for sw on a host, or ACS SE 4.x for the appliance-based solution.

Hope that clarifies. For more info, see:

http://cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgAaaSv.html#wp778686

chyps

Actions

This Discussion