cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
482
Views
5
Helpful
3
Replies

CS-MARS v6 only receives "generic AAA events" from ACS v4.0

paultribe
Level 1
Level 1

I have steup CS MARS v6.x to retrieve events from an ACS v4.0 server. I have a PN agent runnung on the ACS server looking at the FAILED ATTEMPTS, PASSED AUTHENTICATION, RADIUS ADMIN, and TACACS ACCOUNTING active log files. The only event that fires on the MARS system is "generic AAA event" which by default does not show in the incidents page without a custom rule, and I can only tell what happens (E.g TACACS start/stop) by looking in the raw data within th incident.

Is this correct ? I would have thought that other AAA events would fire as there are many in the the MARS database, is this a limitation of ACS v4.0 ?

Can any one help ?

3 Replies 3

wong34539
Level 6
Level 6

MARS includes the PN Log Agent to monitor Cisco Secure ACS active log files (failed attempts, passed authentications, and RADIUS accounting). This agent pushes these log files via syslog to MARS. Please make sure you have configured as per the below document.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgAaaSv.html#wp778907

I had alrwady followed the guide to the letter.

I have now found out what the issue was. Although we are running CSACS version 4.0 you have to configure the application in MARS as CSACS version 3.x and not CSACS version 4.x.

Thanks for the post.

If using the pnlogagent, then configure MARS to use ACS 3.x. This assumes that the log agent retrieves and sends info collected in the CSV log files. If using this method, regardless if using ACS 3.x or 4.x, select the ACS 3.x option in MARS.

MARS 6.x can receive the ACS logs via Syslog. To use this option, the pnlogagent is not required. Configure ACS to log data to Syslog rather than CSV. To use this option, select ACS 4.x option for sw on a host, or ACS SE 4.x for the appliance-based solution.

Hope that clarifies. For more info, see:

http://cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgAaaSv.html#wp778686

chyps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: