Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > Integrate Cisco ACS Syslog reports with SolarWinds LEM

Integrate Cisco ACS Syslog reports with SolarWinds LEM

Table of contents
Created by Aileen de Lara, last modified by MindTouch on Jun 23, 2016

Views: 49 Votes: 0 Revisions: 5

Overview

This article provides steps to integrate Cisco ACS Syslog Reports with SolarWinds LEM.

You can integrate Cisco ACS with your SolarWinds LEM appliance to allow Cisco ACS logs to be stored on your LEM database and displayed as normalized Alerts in your LEM Console. 

Environment

  • All LEM versions
  • Cisco Secure ACS version 4.1 or later

Steps

This involves two main steps:

I. Configuring Logging on your Cisco ACS server

Note: The first step in integrating Cisco ACS with SolarWinds LEM is to configure the recommended logging on the Cisco ACS server.

To configure syslog reporting on Cisco ACS version 4.1 or later:

  1. Log in to your CiscoSecure ACS web console.
  2. On the left navigation pane, click System Configuration.
  3. On the System Configuration page, click Logging.
  4. On the Logging Configuration page, click Configure in the Syslog column next to Failed Attempts.
  5. On the Syslog Failed Attempts File Configuration page, check Log to Syslog Failed Attempts report under Enable Logging.
  6. Under Select Columns to Log, move the appropriate attributes from the Attributes column to the Logged Attributes column by selecting them and clicking the ->button.
    Note: The attributes that are necessary for LEM integration are listed in the tables below.
  7. Under Syslog Servers, enter the following information for your LEM Manager:
    • IP: LEM Manager IP Address.
    • Port: 514.
    • Max message length (Bytes): Leave this field blank.
  8. Click Submit.
  9. Repeat the steps above for each of these reports:
    • Passed Authentication
    • RADIUS Accounting
    • TACACS+ Accounting
    • TACACS+ Administration
    • VoIP Accounting

 

II. Configuring LEM Manager

The next step in integrating Cisco ACS with SolarWinds LEM is to configure the Cisco Secure ACS 4.1 Syslog tool on your LEM Manager.

To configure the Cisco Secure ACS 4.1 Syslog tool on your LEM Manager:

  1. Open your LEM Console and log into your LEM Manager in the Manage > Appliances view.
  2. Click the gear icon next to your LEM Manager (left), and select Tools.
  3. In the Tool Configuration window, enter ACS in the search box under Refine Results.
  4. Click the gear icon next to the Cisco Secure ACS 4.1 Syslog tool, and select New.
  5. Replace the Alias value with a custom Tool Alias, or accept the default.
  6. Leave the remaining values at their default unless your LEM implementation warrants otherwise. For more information, see Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data
  7. Click Save.
  8. Next to the tool you just configured, click the gear icon, and then click Start. When the tool starts properly, its Status icon will turn green.

You will now begin to see alerts from your Cisco ACS device in your LEM Console. You can use the default All Alerts filter for this, or you can configure a custom filter to display all alerts with a ToolAlias value equal to the value you entered in Step 5.

 

Tables of ACS Report attributes by Report

The following tables list each of the report attributes needed for each ACS report that can be normalized by the Cisco ACS tool for SolarWinds LEM:

 

Failed Attempts Report Attributes

Message-Type User-Name Group-Name Caller-ID Authen-Failure-Code
Author-Failure-Code Author-Data NAS-Port NAS-IP-Address  

Passed Authentication Report Attributes

Message-Type User-Name Group-Name Caller-ID NAS-Port
NAS-IP-Address Filter Information Network Access Profile Name Shared RAC Downloadable ACL
System-Posture-Assessment Application-Posture-Assessment Reason EAP Type EAP Type Name

RADIUS Accounting Report Attributes

User-Name Group-Name Calling-Station-Id Acct-Status-Type Acct-Session-Id
Acct-Session-Time Service-Type Framed-Protocol Acct-Input-Octets Acct-Output-Octets
Acct-Input-Packets Acct-Output-Packets Framed-IP-Address NAS-Port NAS-IP-Address
cisco-av-pair Login-IP-Host Login-Service    

TACACS+ Accounting Report Attributes

User-Name Group-Name Caller-Id Acct-Flags elapsed_time
service bytes_in bytes_out paks_in paks_out
task_id addr NAS-Portname NAS-IP-Address cmd

TACACS+ Administration Report Attributes

User-Name Group-Name cmd priv-lvl service
NAS-Portname task_id NAS-IP-Address reason  

VoIP Accounting Report Attributes

Call Leg Setup Time Gateway Identifier Connection Id Call Leg Direction Call Leg Type
Call Leg Connect Time Call Leg Disconnect Time Call Leg Disconnect Cause Remote Gateway IP Address

 

Last modified
20:02, 22 Jun 2016

Tags

Classifications

Public