I was wondering what happens when the log collector fails in a primary-secondary setup.
The log collector will remain down until the server is back.
If the secondary have as log collector the primary and the primary will be down no logs will be available during that period.
I suggest to point as log collector himself so in that way both will be log collectors and both will shared the information.
so if i understand you correctly, there's actually no way that the log collector moves in an distributed deployment to another ACS Instance right? so in case of an longer outage of my log collector i have to manually choose another ACS instance for logging. but until i've done this i'm completely blind about what's going on in the network (right?)
sound's like that there is much room for improvement.... :-)
When the log collector is down authentications will succeed but the logs don't come back when the log collector comes back up. Essentially the logs get logged locally to a file on the system but there is no way to retrieve them and they don't sync down when the log collector comes back.
We have already an enhancement bug filed, CSCth66492, to change this behavior and sync those logs to the log collector when it recovers.
looks like this got fixed in ACS 5.3
Do rate helpful posts-
I'm reading bug details (CSCth66492).
I'm using ACS 5.4 with the last patch. I have two instance: one primary and one secondary.
Primary instance is configured as log collector.
When primary instance fails, devices continue to authenticate successfully on secondary instance but, when primary comes back I'm not able to find any authentication logs operated from secondary. I'm using RADIUS to test this.
From ACS 5.3 release notes.
View Log Message Recovery
ACS 5.3 provides a new feature to recover any logs that are missed when the view is down. ACS collects these missed logs and stores them in its database.
Using this feature, you can retrieve the missed logs from the ACS database to the view database after the view is up.
To use this feature, you must set the Log Message Recovery Configuration as on. For more details on configuring the View Log Message Recovery, see User Guide for Cisco Secure Access Control System 5.3.
This feature must be enabled, under Monitoring and Reports, Launch Monitoring & Report Viewer. Successivamente Monitoring Configuration, System Operations e Log Message Recovery.
Enable “Log to Local Target” for categories under System Administration > Configuration > Log Configuration > Logging Categories > Global.
Hope this helps.
Our ACS was in deployment, Secondary ACS was working as a log collector.
Now we want to power off secondary ACS Server and we already made Primary ACS as log collector also.
Our requirement is to transfer all log files from secondary ACS to Primary one. So that we can see all older logs on Primary ACS if required.
So, Please share any known process for the same