cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
769
Views
0
Helpful
8
Replies

MARS 4.3 and NAC (CSACS 4.2) logging

jasonhumes
Level 1
Level 1

Hi

I'm trying to get MARS 4.3 and my Cisco ACS 4.2 server working together to display NAC events on MARS. I've added the server which runs CSACS under Security/Monitor Devices, added the reporting application of Cisco Secure ACS 3.x (does this matter that there is no option for 4.x, should this still work?) and have installed the PNLogAgent on the CSACS server and configured it to forward logs to MARS. The problem is that I have users who are being quarantined by NAC and the CSACS server shows these in the logs, yet I dont see any event on the MARS server to reflect this.

Is there something I'm missing here? Thanks

Jason Humes

8 Replies 8

thomas.chen
Level 6
Level 6

Follow the URL for the user guide for the Cisco security MARs which will help you :

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.3/user/guide/local_controller/cfgover.html

js88888888
Level 1
Level 1

Jason,

I have a few ACS servers set up with the PN agent and I'm not seeing anything in MARS either. Everything was set up per the documentation.

Any luck on your issue?

Is this an ACS appliance or ACS running on your own Windows server?

Yes there is no problem with ACS 3.x in the GUI, as per the user guide ACS 4.x version should also be added as ACS 3.x. And I just set this up yesterday for a customer using an ACS SE appliance without any issues.

Did you Add the MARS IP and Log files in the PN Log agent?

Regards

Farrukh

Not to hijack this thread.... but if I do an incident query by the ACS server IP (Windows running ACS 3.3) I don't see anything. I figure there should at least be some sort of log or activity.

Don't do a query for incidents. Do a 'real-time' query for 'Raw Events' selecting ONLY the ACS as the reporting device. Then try to generate any ACS related events from NAS/NAC devices, and then observe the output. You can also query for past raw events reported by the ACS Sw-Host.

Regards

Farrukh

Thanks much. I think I have the correct parameters:

Query type: Event Raw Messages ranked by Time, Real Time(raw events)

with my ACS server as the source IP and destination is ANY.

Does this look right?

Source IP field does not need to be changed, you need to change the 'reporting device'. Remove ANY and add ACS only.

Since ACS is supported from Cisco, I would assume they have made some rules for it. Try to generated failed attempts etc. 3-4 times and not just once, maybe Cisco put a 'higher' count than 1 for the rule.

Regards

Farrukh

well, I was able to verify its receiving logs from my ACS servers by doing a "retrieve raw messages" in System Maintenance. I assume this is good enough for verification purposes?

Is there a canned rule that deals w/ ACS events or do I need to make a new one?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: