06-13-2011 03:59 AM
Hello,
CS-ACS (CiscoSecure ACS v4.2) was configured to send "Failed Attempts" logs to CS-MARS (Appliance Product Version: 6.0.2).
ACS was added to MARS as a "Cisco Secure ACS SE 4.x" appliance.
TCPDUMP at the MARS CLI shows that MARS is receiving syslog traffic on port 514 from the ACS, but when I submit an inline query to determine whether events are being received from the Cisco Secure ACS, it shows empty report.
Thanks a lot
06-13-2011 04:25 AM
Hi Eugen,
Could you try a query in real time with the option "Event raw messages"?
Is possible that doesn´t match correctly.
Best Regards
Antonio
06-13-2011 04:53 AM
Hi Antonio,
A real time query returns:
Event Type: Secure ACS Auth failed: password invalid
Reporting Device: ACS42
RAW Message:
<38>Jun 13 11:45:23 10.44.1.4 CisACS_02_FailedAuth nas0259t 1 0 Message-Type=Authen failed,User-Name=eugen,NAS-IP-Address=10.44.1.18,Authen-Failure-Code=ACS password invalid,Caller-ID=172.22.5.10,NAS-Port=tty1,Group-Name=Group 1 (NetAdmin - Full),
10.44.1.4 - ACS IP address
--------------------------------------------
I made rulles that match "Secure ACS Auth failed" Event Type, so MARS will announce when there are attempts with invalid password or unknown user.
Thank you.
06-13-2011 06:03 AM
You are welcome Eugen.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide