Cisco Acs 5x User Guide

							18-27
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Configuring Logs
Related Topic
Configuring Per-Instance Logging Categories, page 18-29
Viewing ADE-OS Logs, page 18-28 Software-Management
ACS_UPGRADE—ACS upgraded
ACS_PATCH—ACS patch installed
UPGRADE_SCHEMA_CHANGE—ACS schema upgrade complete
UPGRADE_DICTIONARY—ACS dictionary upgrade complete
UPGRADE_DATA_MANIPULATION—ACS upgrade - data manipulation stage complete
UPGRADE_AAC—ACS AAC upgrade complete
UPGRADE_PKI—ACS PKI upgrade complete
UPGRADE_VIEW—ACS View upgrade complete
CLI_ACS_UPGRADE—ACS upgrade started
CLI_ACS_INSTALL—ACS install started
System-Management
ACS_MIGRATION_INTERFACE—ACS migration interface enabled/disabled
ACS_ADMIN_PSWD_RESET—ACS administrator password reset
CLI_CLOCK_SET—Clock set
CLI_TZ_SET—Time zone set
CLI_NTP_SET—NTP Server set
CLI_HOSTNAME_SET—Hostname set
CLI_IPADDRESS_SET—IP address set
CLI_IPADDRESS_STATE—IP address state
CLI_DEFAULT_GATEWAY—Default gateway set
CLI_NAME_SERVER—Name server set
ADEOS_XFER_LIBERROR—ADE OS Xfer library error
ADEOS_INSTALL_LIBERROR—ADE OS install library error
AD_JOIN_ERROR—AD agent failed to join AD domain
AD_JOIN_DOMAIN—AD agent joined AD domain
AD_LEAVE_DOMAIN—AD agent left AD domain
IMPORT_EXPORT_PROCESS_ABORTED—Import/Export process aborted
IMPORT_EXPORT_PROCESS_STARTED—Import/Export process started
IMPORT_EXPORT_PROCESS_COMPLETED—Import/Export process completed
IMPORT_EXPORT_PROCESS_ERROR—Error while Import/Export process
Table 18-22 Administrative and Operational Logs Not Logged in the Local Target (continued)
Category Log and Description 
						

							18-28
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Configuring Logs
Viewing ADE-OS Logs
The logs listed in Table 18-22 are written to the ADE-OS logs. From the ACS CLI, you can use the 
following command to view the ADE-OS logs:
show logging system
This command lists all the ADE-OS logs and your output would be similar to the following example.
Sep 29 23:24:15 cd-acs5-13-179 sshd(pam_unix)[20013]: 1 more authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 
user=admin
Sep 29 23:24:34 cd-acs5-13-179 sshd(pam_unix)[20017]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=ad
min
Sep 29 23:24:36 cd-acs5-13-179 sshd[20017]: Failed password for admin from 10.77.137.95 
port 3635 ssh2
Sep 30 00:47:44 cd-acs5-13-179 sshd(pam_unix)[20946]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=ad
min
Sep 30 00:47:46 cd-acs5-13-179 sshd[20946]: Failed password for admin from 10.77.137.95 
port 3953 ssh2
Sep 30 00:54:59 cd-acs5-13-179 sshd(pam_unix)[21028]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=10.77.137.95 user=ad
min
Sep 30 00:55:01 cd-acs5-13-179 sshd[21028]: Failed password for admin from 10.77.137.95 
port 3962 ssh2
Sep 30 00:55:35 cd-acs5-13-179 last message repeated 5 times
Sep 30 00:55:39 cd-acs5-13-179 sshd[21028]: Accepted password for admin from 10.77.137.95 
port 3962 ssh2
Sep 30 00:55:39 cd-acs5-13-179 sshd(pam_unix)[21038]: session opened for user admin by 
(uid=0)
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: successfully loaded debug config
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: [21043]: utils: cars_shellcfg.c[118] [admin]: 
Invoked carsGetConsoleConfig 
Sep 30 00:55:40 cd-acs5-13-179 debugd[2597]: [21043]: utils: cars_shellcfg.c[135] [admin]: 
No Config file, returning defaults 
Sep 30 01:22:20 cd-acs5-13-179 sshd[21038]: Received disconnect from 10.77.137.95: 11: 
Connection discarded by broker
Sep 30 01:22:20 cd-acs5-13-179 sshd(pam_unix)[21038]: session closed for user admin
Sep 30 01:22:22 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read
Sep 30 01:22:22 cd-acs5-13-179 debugd[2597]: successfully loaded debug config
Sep 30 02:48:54 cd-acs5-13-179 sshd[22500]: Accepted password for admin from 10.77.137.58 
port 4527 ssh2
Sep 30 02:48:54 cd-acs5-13-179 sshd(pam_unix)[22504]: session opened for user admin by 
(uid=0)
Sep 30 02:48:55 cd-acs5-13-179 debugd[2597]: hangup signal caught, configuration read
Sep 30 02:48:55 cd-acs5-13-179 debugd[2597]: successfully loaded debug config
You can view the logs grouped by the module that they belong to. For example, the monitoring and 
troubleshooting logs contain the string MSGCAT and the debug logs contain the string debug.
From the ACS CLI, you can enter the following two commands to view the monitoring and 
troubleshooting logs and the administrative logs respectively:
show logging system | include MSGCAT
show logging system | include debug
The output of the show logging system | include MSGCAT would be similar to:
Sep 27 13:00:02 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed
Sep 28 13:00:03 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed
Sep 29 06:28:17 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 8363 
						

							18-29
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Configuring Logs
Sep 29 06:28:28 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped
Sep 29 06:31:41 cd-acs5-13-103 MSGCAT58037/admin: Installing ACS
Sep 29 09:52:35 cd-acs5-13-103 MSGCAT58007: Killing Tomcat 32729
Sep 29 09:52:46 cd-acs5-13-103 MSGCAT58004/admin: ACS Stopped
Sep 29 09:53:29 cd-acs5-13-103 MSGCAT58004/admin: ACS Starting
Sep 29 10:37:45 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed 
successfully - interface migration enable
Sep 29 13:00:02 cd-acs5-13-103 MSGCAT58010/root: info:[ACS backup] ACS backup completed
Sep 29 13:56:36 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed 
successfully - interface migration disable
Sep 29 13:57:02 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed 
successfully - interface migration disable
Sep 29 13:57:25 cd-acs5-13-103 MSGCAT58018/admin: [ACS-modify-migration-state] completed 
successfully - interface migration enable
Sep 30 10:57:10 cd-acs5-13-103 MSGCAT58010/admin: info:[ACS backup] ACS backup completed
For more information on the show logging command, refer to 
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/
reference/cli_app_a.html#wp1917127.
Configuring Per-Instance Logging Categories
You can define a custom logging category configuration for specific, overridden ACS instances, or return 
all instances to the default global logging category configuration.
To view and configure per-instance logging categories:
Step 1Select System Administration > Configuration > Log Configuration > Logging Categories > 
Per-Instance.
The Per-Instance page appears; from here, you can view the individual ACS instances of your 
deployment.
Step 2Click the radio button associated with the name of the ACS instance you want to configure, and choose 
one of these options:
Click Override to override the current logging category configuration for selected ACS instances.
Click Configure to display the Logging Categories page associated with the ACS instance. You can 
then edit the logging categories for the ACS instance. See Displaying Logging Categories, 
page 18-32 for field descriptions.
Click Restore to Global to restore selected ACS instances to the default global logging category 
configuration.
Your configuration is saved and the Per-Instance page is refreshed.
Related Topic
Configuring Per-Instance Security and Log Settings, page 18-30 
						

							18-30
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Configuring Logs
Configuring Per-Instance Security and Log Settings
You can configure the severity level and local log settings in a logging category configuration for a 
specific overridden or custom ACS instance. Use this page to:
View a tree of configured logging categories for a specific ACS instance.
Open a page to configure a logging category’s severity level, log target, and logged attributes for a 
specific ACS instance.
Step 1Select System Administration > Configuration > Log Configuration > Logging Categories > 
Per-Instance, then click Configure.
The Per-Instance: Configuration page appears as described in Table 18-23:
Step 2Do one of the following:
Click the name of the logging category you want to configure.
Select the radio button associated with the name of the logging category you want to configure, and 
click Edit.
The Per-Instance: General page appears.
From here, you can configure the security level and local log settings in a logging category configuration 
for a specific ACS instance. See Table 18-24:
Table 18-23 Per-Instance: Configuration Page
Option Description
Name Expandable tree structure of AAA service logging categories.
Edit Click to display a selected Logging Categories > Edit: “lc_name” page, where lc_name 
is the name of the logging category. 
						

							18-31
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Configuring Logs
Configuring Per-Instance Remote Syslog Targets 
Use this page to configure remote syslog targets for logging categories.
Step 1Select System Administration > Configuration > Log Configuration > Logging Categories > 
Per-Instance, then click Configure.
The Per-Instance: Configuration page appears as described in Table 18-23.
Step 2Do one of the following actions:
Click the name of the logging category you want to configure.
Select the radio button associated with the name of the logging category you want to configure, and 
click Edit.
Step 3Click the Remote Syslog Target tab. 
The Per-Instance: Remote Syslog Targets page appears as described in Table 18-25:
Table 18-24 Per-Instance: General Page
Option Description
Configure Log Category
Log Severity Use the list box to select the severity level for diagnostic logging categories. 
(For audit and accounting categories, there is only one severity, NOTICE, 
which cannot be modified.) Valid options are:
FATAL—Emergency. The ACS is not usable and you must take action 
immediately.
ERROR—Critical or error condition.
WARN—Normal, but significant condition. (Default)
INFO—Informational message.
DEBUG—Diagnostic bug message.
Configure Local Setting for Category
Log to Local Target Check to enable logging to the local target. 
For administrative and operational audit logging category types, logging to 
local target is enabled by default and cannot be disabled.
Local Target is 
CriticalUsable for accounting and for passed authentication logging category types 
only. Check the check box to make this local target the critical target.
For administrative and operational audit logging category types, the check box 
is checked by default and cannot be unchecked; the local target is the critical 
target.
If you make local target as the critical target and the logging operation fails, the 
authentication request will be rejected and accounting response will not be sent 
to the device.
Configure Logged Attributes
—Display only. All attributes are logged to the local target. 
						

							18-32
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Configuring Logs
Displaying Logging Categories
You can view a tree of configured logging categories for a specific ACS instance. In addition, you can 
configure a logging category’s severity level, log target, and logged attributes for a specific ACS 
instance.
Step 1Select System Administration > Configuration > Log Configuration > Logging Categories > 
Per-Instance, then click Configure.
Step 2Complete the fields as described in Table 18-26:
Table 18-25 Per-Instance: Remote Syslog Targets Page
Option Description
Configure Syslog Targets
Available targets List of available targets. You can select a target from this list and move it to the 
Selected Targets list.
Selected targets List of selected targets. You can select a target from this list and move it to the 
Available Targets list to remove it from your configuration.
Table 18-26 Per-Instance: Configuration Page
Option Description
Name Expandable tree structure of AAA services logging categories.
Edit Click to display a selected Logging Categories > Edit: “lc_name” page, where lc_name 
is the name of the logging category. 
						

							18-33
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Configuring Logs
Configuring the Log Collector
Use the Log Collector page to select a log data collector and suspend or resume log data transmission.
Step 1Select System Administration > Configuration > Log Configuration > Log Collector.
The Log Collector page appears.
Step 2Complete the Log Collector fields as described in Table 18-27:
Step 3Do one of the following:
Click Suspend to suspend the log data transmission to the configured log collector.
Click Resume to resume the log data transmission to the configured log collector.
Your configuration is saved and the Log Collector page is refreshed.
Viewing the Log Message Catalog
Use the Log Message Catalog page to view all possible log messages.
Select System Administration > Configuration > Log Configuration > Log Message Catalog.
The Log Message Catalog page appears, with the fields described in Table 18-28, from which you can 
view all possible log messages that can appear in your log files.
Table 18-27 Log Collector Page
Option Description
Log Data Collector
Current Log 
CollectorDisplay only. Identifies the machine on which the local log messages are sent.
Select Log Collector Use the drop-down list box to select the machine on which you want local log 
messages sent.
Set Log Collector Click to configure the log collector according to the selection you make in the 
Select Log Collector option.
Table 18-28 Log Messages Page
Option Description
Message CodeDisplay only. A unique message code identification number associated with a 
message.
SeverityDisplay only. The severity level associated with a message. 
CategoryDisplay only. The logging category to which a message belongs.
Message ClassDisplay only. The group to which a message belongs.
Message TextDisplay only. English language message text (name of the message).
Description Display only. English language text that describes the associated message. 
						

							18-34
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Licensing Overview
Licensing Overview
To operate ACS, you must install a valid license. ACS prompts you to install a valid base license when 
you first access the web interface. Each ACS instance (primary or secondary) in a distributed deployment 
requires a unique base license. 
NoteEach server requires a unique base license in a distributed deployment.
Types of Licenses
Table 18-29 shows the ACS 5.3 license support:
.Table 18-29 ACS License Support
License Description
Base License Required for all software instances deployed, as well as for all appliances. The base license 
enables you to use all the ACS functionality except license controlled features, and it enables all 
reporting features. Base license is:
Required for each ACS instance, primary and secondary.
Required for all appliances.
Supports deployments with up to 500 managed devices.
Base licenses are of three types:
Permanent—Supports up to 500 devices.
Eval—Supports up to 50 devices and expires in 90 days.
The number of devices is determined by the number of unique IP addresses that you configure. 
This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 
implies 256 unique IP addresses and hence the number of devices is 256.
If your evaluation license expires or is about to expire, you cannot use another evaluation license 
or extend your current license. Before your evaluation license expires, you must upgrade to a 
Permanent license.
Add-on Licenses Supports an unlimited number of managed devices. Requires an existing ACS permanent base 
license. There are also evaluation-type licenses for add-on licenses.
The Security Group Access feature licenses are of three types: Permanent, Eval, and NFR. 
However, the permanent Security Group Access feature license can be used only with a permanent 
base license.
Also, the large deployment license can only be used only with a permanent base license.
Evaluation License 
(standard)Enables standard centralized reporting features.
Cannot be reused on the same platform.
You can only install one evaluation license per platform. You cannot install additional 
evaluation licenses.
Supports 50 managed devices.
Expires 90 days from the time the license is installed. 
						

							18-35
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Installing a License File
Related Topics
Licensing Overview, page 18-34
Installing a License File, page 18-35
Viewing the Base License, page 18-36
Adding Deployment License Files, page 18-39
Deleting Deployment License Files, page 18-40
Installing a License File
You can obtain a valid license file using the Product Activation Key (PAK) supplied with the product. 
To install a license file:
Step 1Log into the ACS web interface.
The Initial Licenses page appears when you log in to the ACS machine for the first time.
Step 2Click Cisco Secure ACS License Registration. 
This link directs you to Cisco.com to purchase a valid license file from a Cisco representative.
Step 3Click Install to install the license file that you purchased.
The ACS web interface log in page reappears. You can now work with the ACS application.
NoteYou cannot upgrade a base permanent license. You can only upgrade a base evaluation license.
Related Topics
Licensing Overview, page 18-34
Viewing the Base License, page 18-36
Adding Deployment License Files, page 18-39
Deleting Deployment License Files, page 18-40 
						

							18-36
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 18      Managing System Administration Configurations
  Installing a License File
Viewing the Base License
To upgrade the base license:
Step 1Select System Administration > Configuration > Licensing > Base Server License.
The Base Server License page appears with a description of the ACS deployment configuration and a list 
of the available deployment licenses. See Types of Licenses for a list of deployment licenses. 
Table 18-30 describes the fields in the Base Server License page.
You can select one or more radio buttons next to the instance whose license you want to upgrade. 
Step 2Click Upgrade. See Upgrading the Base Server License, page 18-37 for valid field options.
Table 18-30 Base Server License Page 
Option Description
ACS Deployment Configuration
Primary ACS Instance Name of the primary instance created when you logged into the ACS 5.3 web interface.
Number of Instances Current number of ACS instances (primary or secondary) in the ACS database.
Current Number of 
Configured IP Addresses 
in Network DevicesTotal number of IP addresses in all the subnetworks that you have configured as part of network 
device configuration.
The number of devices is determined by the number of unique IP addresses that you configure. 
This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 
implies 256 unique IP addresses and hence the number of devices is 256.
Maximum Number of IP 
Addresses in Network 
DevicesMaximum number of IP addresses that your license supports:
Base License—Supports 500 IP addresses.
The number of devices is determined by the number of unique IP addresses that you configure. 
This includes the subnet masks that you configure. For example, a subnet mask of 255.255.255.0 
implies 256 unique IP addresses and hence the number of devices is 256.
Large Deployment—Supports an unlimited number of IP addresses.
Use this link to obtain a 
valid License FileDirects you to Cisco.com to generate a valid license file using the Product Activation Key (PAK) 
Base License Configuration
ACS Instance Name of the ACS instance, either primary or secondary.
Identifier Name of the base license.
License Type Specifies the base license type (permanent, evaluation).
Expiration Specifies the expiration date for evaluation licenses. For permanent licenses, the expiration field 
indicates permanent.
Licensed to Name of the company that this product is licensed to.
PAK Name of the Product Activation Key (PAK) received from Cisco.
Version Current version of the ACS software.