Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CS-MARS v6 only receives "generic AAA events" from ACS v4.0

I have steup CS MARS v6.x to retrieve events from an ACS v4.0 server. I have a PN agent runnung on the ACS server looking at the FAILED ATTEMPTS, PASSED AUTHENTICATION, RADIUS ADMIN, and TACACS ACCOUNTING active log files. The only event that fires on the MARS system is "generic AAA event" which by default does not show in the incidents page without a custom rule, and I can only tell what happens (E.g TACACS start/stop) by looking in the raw data within th incident.

Is this correct ? I would have thought that other AAA events would fire as there are many in the the MARS database, is this a limitation of ACS v4.0 ?

Can any one help ?


Re: CS-MARS v6 only receives "generic AAA events" from ACS v4.0

MARS includes the PN Log Agent to monitor Cisco Secure ACS active log files (failed attempts, passed authentications, and RADIUS accounting). This agent pushes these log files via syslog to MARS. Please make sure you have configured as per the below document.

New Member

Re: CS-MARS v6 only receives "generic AAA events" from ACS v4.0

I had alrwady followed the guide to the letter.

I have now found out what the issue was. Although we are running CSACS version 4.0 you have to configure the application in MARS as CSACS version 3.x and not CSACS version 4.x.

Thanks for the post.

Cisco Employee

Re: CS-MARS v6 only receives "generic AAA events" from ACS v4.0

If using the pnlogagent, then configure MARS to use ACS 3.x. This assumes that the log agent retrieves and sends info collected in the CSV log files. If using this method, regardless if using ACS 3.x or 4.x, select the ACS 3.x option in MARS.

MARS 6.x can receive the ACS logs via Syslog. To use this option, the pnlogagent is not required. Configure ACS to log data to Syslog rather than CSV. To use this option, select ACS 4.x option for sw on a host, or ACS SE 4.x for the appliance-based solution.

Hope that clarifies. For more info, see: