Re: ACS -current log file CSMonLog Active.csv is showing blan

arindam.b.chatterjee · ‎09-21-2013

under ACS service monitoring TAB, the current log file CSMonLog Active.csv is showing blank ?

Could anyone let me know why this happens ?

Jatin Katyal · ‎09-21-2013

CSMon—CSMon service is responsible for the monitoring, recording, and notification of Cisco Secure CS ACS performance, and includes automatic response to some scenarios. For instance,TACACS+ and RADIUS service dies, CS ACS by default restarts all the services, unless otherwise configured. Monitoring includes monitoring the overall status of Cisco Secure ACS and the system on which it is running. CSMon actively monitors three basic sets of system parameters:

Generic host system state—monitors disk space, processor utilization, and memory utilization.

Application-specific performance—periodically performs a test login each minute using a special built-in test account by default.

System resource consumption by Cisco Secure ACS—CSMon periodically monitors and records the usage by Cisco Secure ACS of a small set of key system resources. Handles counts, memory utilization, processor utilization, thread used, and failed log-on attempts, and compares these to predetermined thresholds for indications of atypical behavior.

CSMon works with CSAuth to keep track of user accounts that are disabled for exceeding their failed attempts count maximum. If configured, CSMon provides immediate warning of brute force attacks by alerting the administrator that a large number of accounts have been disabled.

By default CSMon records exception events in logs both in the CSV file and Windows Event Log that you can use to diagnose problems. Optionally you can configure event notification via e-mail so that notification for exception events and outcomes includes the current state of Cisco Secure ACS at the time of the message transmission. The default notification method is simple mail-transfer protocol (SMTP) e-mail, but you can create scripts to enable other methods. However, if the event is a failure, CSMon takes the actions that are hard-coded when the triggering event is detected. If the event is a warning event, it is logged, the administrator is notified if it is configured, and no further action is taken. After a sequence of re-tries, CSMon also attempts to fix the cause of the failure and individual service restarts. It is possible to integrate custom-defined action with CSMon service, so that a user-defined action can be taken based on specific events.

Answering your query: This may be a brand new installation OR none of ACS services restarted lately so logs OR CSMON logging might have disabled under system configuration > Logging.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

arindam.b.chatterjee · ‎09-21-2013

Thanks for your reply but my concern is I am not able to view the current log , but able to view the old log . why this happens ?

Jatin Katyal · ‎09-21-2013

You could only see the logs on csmon if there is any service restarted recently. If you want to verify, try and restart some services in off hours. If you have replication or backup scheduled for sometime then take a look at that time because it does trigger few service to restart.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Jatin Katyal · ‎09-23-2013

DId you get a chance to restart the services and check active CSmon file?

Also make sure that csmon service is running fine.

In ACS windows go to start > run > services.msc

IN ACS appliance > access it via console/ssh and run "show"

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

ACS -current log file CSMonLog﻿ Active.csv is showing blank

ACS -current log file CSMonLog Active.csv is showing blank