Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1354
Views
0
Helpful
2
Replies

ACS 5.4 backup status in syslog

rob.schieron
Level 1
Level 1

‎10-11-2013 01:32 AM - edited ‎03-10-2019 08:59 PM

Have raised a TAC for this but thought I'd post here too.

We are running ACS v5.4 Patch 1.

We have noticed that ACS will not produce syslog messages about scheduled backups (success or failure)

(1)    From the GUI, under “System Administration >  Configuration >  Log Configuration >  Remote Log Targets”, we have configured a remote syslog host. 

(2)    Then, each logging category under “System Administration > Configuration >  Log Configuration >  Logging Categories >  Global”, we have configured everything to log to the remote target.

(3)    However, no messages regarding successful or failed backups ever arrive via syslog.

Backup status can be checked by running “show backup history” from the CLI. 

However, syslog communication between ACSView and ACS show backup status OK.

You can find backup information in ACS View under:

Monitoring & Reports >  Reports >  Catalog >  ACS Instance > ACS Operations Audit

We have one quite simple requirement – that ACS produces syslog messages stating backup success and failure.  This will drive our alarm system.

Has anyone else got this to work?

Pretty simple request - backup success/failure in syslog messages!

Forcing the output of ade.log to syslog would also do it.  Would rather not hack around under the covers with root patch though.

Cheers!

Labels:
0 Helpful
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

‎10-15-2013 06:26 PM

Hi Rob,

I was going through your requirement and that seems to be an important notification. If we look at the ACS 5.4 guide > under logging categories. It does talk about ACS operational changes—Logs all operations  requested by administrators, including promoting an ACS from your  deployment as the primary, requesting a full replication, performing  software downloads, doing a backup or restore, generating and restoring  PACs, and so on.

Administrative and operational audit log messages are always sent to the  local store, and you can also send them to remote syslog server and  Monitoring and Reports server targets.

Log messages are sent to the local store with this syslog message format:

time stamp sequence_num msg_code msg_sev msg_class msg_text attr=value

Log target and logging categories.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/logging.html#wp1052656

Since you've configured ACS logging categories to log everything. It should work fine. Can you see the same message success or failure under local store logs of ACS. If we can see it there it means ACS is sending it, after that we can check in the log forwarder file and run the packet capture on the syslog server.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Alexander Torres Montero
Level 1
Level 1
In response to Jatin Katyal

‎05-28-2015 08:25 AM

This problem continues in ACS 5.6. I follow the recommendations but the message is never sent to remote Syslog server.

 

I resolve this by CLI. I changed the "logging local" with "logging 10.200.75.20" where 10.200.75.20 is the IP address of my remote Syslog Server.

 

Now I can see the MSGCATnnn, logger and ADE-Service syslog messages.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents