Need help to Configur customized Alarms for accouting on ACS 5.8

Mannisidhu · ‎04-19-2018

HI all

I need help regading creating a custummize threshold for command accounting.

For example, if one of my enginner allow the rule on the ASA for source any destination any and service IP or one of the three match triggered from source, destination and service (any any service IP ).

ACS send the alert.

help me out guide me how to create the alert on ACS.

Mannisidhu · ‎04-20-2018

Hi

can any one kindly help me out.

so we can catch the culprite, who is allowing the rule or editing the rule.

Marius Gunnerud · ‎04-20-2018

You should be able to do this with Alarm Thresholds, that is if you have accounting configured on your network equipment already.

in ACS GUI:

1. go to Monitoring and Rports > Launch Monitor and Report Viewer

2. now go to Alarms > Thresholds

3. click "Create"

4. General tab: Enter a meaningful name

5. Criteria tab: fro the dropdown under Category select TACACS Command Accounting

6. in the Command box enter the command you want the alarm to trigger on

7. in the Device IP box enter the IP of the device you want this to apply to.

8. under Notifications tab enter the email address you want the alert sent to.

If you have several ACLs you want the alarm on, I believe you would need to configure an alarm for each one.

Some reading material

https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/viewer_monitoring.html#wp1100083

--
Please remember to select a correct answer and rate helpful posts