Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1156
Views
0
Helpful
10
Replies

Logging and monitoring in cisco ACS 5.3 cluster

syed musaib mujtaba
Level 1
Level 1

‎06-08-2015 09:50 PM - edited ‎03-10-2019 10:47 PM

Hi,

 

Recently i have created a ACS cluster and after that i am not able to get the logs of devices getting authenticated with secondary ACS.

Logs are available only for primary ACS authentications.

 

I understand that the logs can be stored on  only primary or secondary ACS in the cluster but what about the logs of devices getting authenticated with secondary ACS.

 

Please advise.

 

 

Labels:
0 Helpful
10 Replies 10

marco.merlo
Level 1
Level 1

‎06-09-2015 07:44 AM

Please check if log collector role is properly configured in the deployment:

log to primary ACS 

System Administration->Configuration->Log Configuration->Log Collector.

Give a look at "Current Log Collector server" and be sure that one of the deployed acs servers has been selected as log collector

If your deployment is based on N nodes there are N+1 possible values , any of the N deployed  ACS or "No log Collector".

Please note I can't remember if choosing a log collector implies or not acs process restart.

Regards

MM

p.s.

*****both primary and secondary ACSs can act as log collector*****.

0 Helpful

syed musaib mujtaba
Level 1
Level 1
In response to marco.merlo

‎06-09-2015 11:23 PM

Dear Marco,

 

Thank you for your response.

 

I can see the primary ACS is selected as log collector but still i dont see any logs for those devices which are getting authenticated to secondary ACS.

0 Helpful

marco.merlo
Level 1
Level 1
In response to syed musaib mujtaba

‎06-10-2015 12:02 AM

Weird issue, I see.

In  my deployment actually Secondary ACS is the log collector.

Did you give a look  at

System Administration->Configuration->Log Configuration->Log Collector

on Secondary ACS as well?

Just to check if configurations are properly synchronised.

Are the two ACSs on the same network or is there any firewall between them?

Regards

MM

 

System Administration->Configuration->Log Configuration->Log Collector. - See more at: https://supportforums.cisco.com/discussion/12528386/logging-and-monitoring-cisco-acs-53-cluster#sthash.QWJazr4g.dpuf
System Administration->Configuration->Log Configuration->Log Collector. - See more at: https://supportforums.cisco.com/discussion/12528386/logging-and-monitoring-cisco-acs-53-cluster#sthash.QWJazr4g.dpuf
System Administration->Configuration->Log Configuration->Log Collector. - See more at: https://supportforums.cisco.com/discussion/12528386/logging-and-monitoring-cisco-acs-53-cluster#sthash.QWJazr4g.dpuf
System Administration->Configuration->Log Configuration->Log Collector. - See more at: https://supportforums.cisco.com/discussion/12528386/logging-and-monitoring-cisco-acs-53-cluster#sthash.QWJazr4g.dpuf
0 Helpful

syed musaib mujtaba
Level 1
Level 1
In response to marco.merlo

‎06-10-2015 01:41 AM

Dear Marco,

 

I have checked on the secondary ACS and it shows the log collector as primary ACS and if i try to open monitoring window in secondary ACS it redirects me to primary ACS.

0 Helpful

marco.merlo
Level 1
Level 1
In response to syed musaib mujtaba

‎06-10-2015 04:39 AM

Hi,

log messages are sent to the log collector on udp port 20514.

Have you any chance to check is such a traffic is allowed between the two devices?

Unfortunately "tech dumptcp"  command in 5.3 version does not allow you to set any of the tcpdump options so it will quite hard to understand if such packets are leaving and reaching the devices  without a span session help.
Regards
MM

0 Helpful

syed musaib mujtaba
Level 1
Level 1
In response to marco.merlo

‎06-10-2015 11:38 PM

Dear Marco,

 

The access is allowed for the port 20514 bidirectional.

I verified by doing a telnet from secondary ACS to primary ACS but this will be TCP port verification.

On UDP port in the access list i dont see any hits.

Any suggestions.

 

0 Helpful

marco.merlo
Level 1
Level 1
In response to syed musaib mujtaba

‎06-11-2015 12:21 AM

So secondary acs is not sending syslogs to log collecto ...

In my deployment there is a per instance configured log item that points to the log collector ip. I think such an item is automatically configured while choosing log collector (see attach), did you check this item on the secondary acs?

Did you try to switch log collector from primary to secondary?

 

Regards

MM

 

 

Preview file
260 KB
0 Helpful

syed musaib mujtaba
Level 1
Level 1
In response to marco.merlo

‎06-16-2015 12:25 AM

Dear Marco,

 

I see exactly the same output as yours, the secondary is configured to send logs to primary.

 

i have not tried to switch the log collector role, any other way to check other than trying the log role swithover.

0 Helpful

syed musaib mujtaba
Level 1
Level 1
In response to marco.merlo

‎06-16-2015 03:40 AM

Dear Marco,

 

Thank you for all the efforts and help.

I found the issue and the logs are reflected on the primary ACS from secondary ACS now.

cause : For some reason the port (20514) which is used for sending logs was denied on firewall even though it was allowed. I did not suspect this to be an issue all this time because in the same group other ports are also added and all are working. Now i allowed this specific port again in a separate entry and it started working.

 

 

0 Helpful

marco.merlo
Level 1
Level 1
In response to syed musaib mujtaba

‎06-18-2015 03:32 AM

Sometimes firewalls, Cisco's ones in particular, are funny guys.... ;-)

 

0 Helpful
Customers Also Viewed These Support Documents