Syslog configuration in Cisco ACS

Unanswered Question
Feb 19th, 2012
User Badges:

Hi All ,

I want send ACS logs to a syslog server .I have configured syslog under  System Administration --> Configuration -->Remote Log Targets .

Name : Syslog Server

IP     : x.x.x.x

Port : 514

Facility Code:Local 6

Maximum length :1024

I have open the respective ports also in firewall .

But Syslog server is not getting any logs from ACS .

I have another log target ,which is ACS secondary server to collect the log from primary and secondary with below config.whch is working fine

Name :Logcollector

IP     : x.x.x.x

Port : 20514

Facility Code:Local 6

Maximum length :1024

Kindly Advice ..

Thanks ,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Dan-Ciprian Cicioiu Sun, 02/19/2012 - 03:05
User Badges:
  • Gold, 750 points or more

Hi ,

Look at the ports. First one is 514 , the second is 20514.

Dan Sun, 02/19/2012 - 04:55
User Badges:

HI ,

Port - Port to which the syslog server listens. The default is 514. The value can be from 1 to 65535.

Regards ,

Dan-Ciprian Cicioiu Sun, 02/19/2012 - 05:25
User Badges:
  • Gold, 750 points or more

If I understood well , the syslog server has the port changed from 514 to 20514 , right ?


jrabinow Sun, 02/19/2012 - 13:46
User Badges:
  • Cisco Employee,

After adding a new log traget you need to select the log categories that will be sent to that log target

Go to

System Administration > Configuration > Log Configuration > Logging Categories > Global

Click on a category: eg Passed Authentications

Select remote Syslog tab. If want to send messages in this category to the new log target then select the log target in the list of "Select Targets"

Note this GUI is hierarchical, so if make a change for example to "AAA Audit" it applies to both "Failed Attempts' and "Passed Authentications" category Sun, 02/19/2012 - 23:12
User Badges:


Thanks for your reply .I have already done the above configuration .Still syslog is not getting logs .

Logs from the ACS is reaching to log collector of syslog server .there is some problem with log fromat it seems .

Kindly advice do we need to do any other configurations ,other than the above .

Thanks & Regards ,


jrabinow Sun, 02/19/2012 - 23:20
User Badges:
  • Cisco Employee,

There is no further configuration required. You mentioned that logs are reaching the log collector of syslog server. I do not know what format issues you are seeing Mon, 02/20/2012 - 01:20
User Badges:

The  logs receiving is not in proper format .unable to understand the details in logs .Please find the below example

"Feb 20 12:48:40 ACS0   CSCOacs_Passed_Authentications: 0000412469 3 0 2012-02-20 12:48:40.225 +04:00 0188387558 5200 NOTICE Passed-Authentication: Authentication succeeded, ACSVersion=acs-, ConfigVersionId=868, Device IP Address=x.x.x.x, UserName=frad.cole, Protocol=Radius, RequestLatency=24, NetworkDeviceName=dxb-palmj-pop-s93-bds1a, User-Name=frad.cole, NAS-IP-Address=x.x.x.x, NAS-Port=0, Service-Type=Administrative, Framed-Protocol=X.75 Synchronous, Framed-IP-Address=x.x.x.x, Login-IP-Host=x.x.x.x, NAS-Identifier=Dxb-PalmJ-POP-S93-BDS-1A, NAS-Port-Type=-1, NAS-Port-Id=slot=0\;subslot=0\;port=0\;vlanid=0, AcsSessionID=OACS0/109447559/11612656, AuthenticationIdentityStore=AD1, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Radius Rules, SelectedAuthorizationProfiles=JUNIPER-Activation-Ent, SelectedAuthorizationProfiles=Radius-CiscoAVPair-lvl-1, IdentityGroup=IdentityGroup:All Groups:Migrated_Group:Enterprise-Activation, Step=11001 "

Is there any other setting to get the logs in proper fromat .

Do we need to change the "Facility Code:Local 6" to some other values .

Kindly advice .


This Discussion