ON THIS PAGE
Cisco ACS
The Cisco ACS DSM for JSA accepts syslog ACS events by using syslog and UDP mutliline.
JSA records all relevant and available information from the event. You can integrate Cisco ACS with JSA by using one of the following methods:
-
Configure your Cisco ACS device to directly send syslog to JSA for Cisco ACS v5.x. See Configuring Syslog for Cisco ACS V5.x.
-
Configure your Cisco ACS device to directly send syslog to JSA for Cisco ACS v4.x. See Configuring Syslog for Cisco ACS V4.x.
-
Configure your Cisco ACS device to directly send UDP multiline syslog to JSA. See Protocol Configuration Options.
Configuring Syslog for Cisco ACS V5.x
The configuration of syslog forwarding from a Cisco ACS appliance with software version 5.x involves several steps.
You must complete the following tasks:
-
Create a Remote Log Target
-
Configure global logging categories
-
Configure a log source
Creating a Remote Log Target
Creating a remote log target for your Cisco ACS appliance.
-
Log in to your Cisco ACS appliance.
-
On the navigation menu, click System Administration >Configuration >Log Configuration >Remote Log Targets.
-
The Remote Log Targets page is displayed.
-
Click Create.
Configure the following parameters:
Table 1: Remote Target Parameters Parameter
Description
Name
Type a name for the remote syslog target.
Description
Type a description for the remote syslog target.
Type
Select Syslog.
IP address
Type the IP address of JSA or your Event Collector.
-
Click Submit.
You are now ready to configure global policies for event logging on your Cisco ACS appliance.
Configuring Global Logging Categories
To configure Cisco ACS to forward log failed attempts to JSA:
-
On the navigation menu, click System Administration >Configuration >Log Configuration >Global.
The Logging Categories window is displayed.
-
Select the Failed Attempts logging category and click Edit.
-
Click Remote Syslog Target.
-
From the Available targets window, use the arrow key to move the syslog target for JSA to the Selected targets window.
-
Click Submit.
You are now ready to configure the log source in JSA.
Syslog Log Source Parameters for Cisco ACS v5.x
If JSA does not automatically detect the log source, add a Cisco ACS v5.x log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from Cisco ACS v5.x:
|
Parameter |
Value |
|---|---|
|
Log Source type |
Cisco ACS |
|
Protocol Configuration |
Syslog |
|
Log Source Identifier |
Type the IP address or hostname for the log source. The identifier helps you determine which events came from your Cisco ACS appliance. |
Configuring Syslog for Cisco ACS V4.x
The configuration of syslog forwarding from a Cisco ACS appliance with software version 4.x involves a few steps.
Complete the following steps:
-
Configure syslog forwarding
-
Configure a log source
Configuring Syslog Forwarding for Cisco ACS V4.x
Configuration of an ACS device to forward syslog events to JSA.
Take the following steps to configure the ACS device to forward syslog events to JSA
-
Log in to your Cisco ACS device.
-
On the navigation menu, click System Configuration.
The System Configuration page opens.
-
Click Logging.
The logging configuration is displayed.
-
In the Syslog column for Failed Attempts, click Configure.
The Enable Logging window is displayed.
-
Select the Log to Syslog Failed Attempts report check box.
-
Add the following Logged Attributes:
-
Message-Type
-
User-Name
-
Nas-IP-Address
-
Authen-Failure-Code
-
Caller-ID
-
NAS-Port
-
Author-Data
-
Group-Name
-
Filter Information
-
Logged Remotely
-
-
Configure the following syslog parameters:
Table 3: Syslog Parameters Parameter
Description
IP
Type the IP address of JSA.
Port
Type the syslog port number of JSA. The default is port 514.
Max message length (Bytes) - Type
Type 1024 as the maximum syslog message length.
Note:Cisco ACS provides syslog report information for a maximum of two syslog servers.
-
Click Submit.
You are now ready to configure the log source in JSA.
Syslog Log Source Parameters for Cisco ACS v4.x
If JSA does not automatically detect the log source, add a Cisco ACS v4.x log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from Cisco ACS v4.x:
|
Parameter |
Value |
|---|---|
|
Log Source type |
Cisco ACS |
|
Protocol Configuration |
Syslog |
|
Log Source Identifier |
Type the IP address or hostname for the log source. The identifier helps you determine which events came from your Cisco ACS appliance. |
UDP Multiline Syslog Log Source Parameters for Cisco ACS
The Cisco ACS DSM for JSA accepts syslog events from Cisco ACS appliances with log sources that are configured to use the UDP Multiline Syslog protocol.
If JSA does not automatically detect the log source, add a Cisco ACS log source on the JSA Console by using the UDP Multiline syslog protocol.
The following table describes the parameters that require specific values to collect UDP Multiline syslog events from Cisco ACS:
|
Parameter |
Description |
|---|---|
|
Log Source type |
Cisco ACS |
|
Protocol Configuration |
UDP Multiline Syslog |
|
Log Source Identifier |
The Packet IP address of the source data. If you select Show Advanced options and you select the Use As A Gateway Log Source option, the Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Cisco ACS log source that is configured, you might want to identify the first log source as ciscoacs1, the second log source as ciscoacs2, and the third log source as ciscoacs3. |
|
Listen Port |
The default port number that is used by JSA to accept incoming UDP Multiline Syslog events is 517. You can use a different port. The valid port range is 1 - 65535. |
|
Message ID Pattern |
\s(\d{10})\s |
|
Event Formatter |
Select Cisco ACS Multiline from the list. |
Cisco ACS Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Cisco ACS Sample Message when you use the Syslog Protocol
The following sample event is a passed authentication event.
<181>Jul 22 06:43:25 cisco.acs.test CSCOacs_Passed_Authentications 0082331393 3 0 2017-07-22 06:43:25.226 +00:00 1076613766 5203 NOTICE Device-Administration: Session Authorization succeeded, ACSVersion=acs-192.168.0.1-B.462.x86_64, ConfigVersionId=149, Device IP Address=10.129.16.29, DestinationIPAddress=10.20.64.165, DestinationPort=49, UserName=qradar_user1 Protocol=Tacacs, RequestLatency=6, Type=Authorization, Privilege-Level=0, Authen-Type=PAP, Service=PPP, User=qradar_user1 Port=ssh, Authen-Method=TacacsPlus, Service- Argument=ppp, Protocol-Argument=ip, AcsSessionID=qradar/266281348/80642976, AuthenticationIdentityStore=AD1, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=F5-RW, IdentityGroup=IdentityGroup:All Groups:Network Admin, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24432 , Step=24325 , Step=24313 , Step=24319 , Step=24367 , Step=24367 , Step=24323 , Step=24326 , Step=24327 , Step=24351 , Step=24420 ,
|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
Passed_Authentications |
|
Source IP |
10.129.16.29 |
|
Destination IP |
10.20.64.165 |
|
Destination Port |
49 |
|
Username |
qradar_user1 |