I have steup CS MARS v6.x to retrieve events from an ACS v4.0 server. I have a PN agent runnung on the ACS server looking at the FAILED ATTEMPTS, PASSED AUTHENTICATION, RADIUS ADMIN, and TACACS ACCOUNTING active log files. The only event that fires on the MARS system is "generic AAA event" which by default does not show in the incidents page without a custom rule, and I can only tell what happens (E.g TACACS start/stop) by looking in the raw data within th incident.
Is this correct ? I would have thought that other AAA events would fire as there are many in the the MARS database, is this a limitation of ACS v4.0 ?
Can any one help ?